Microsoft recently acknowledged an individual operating under the EncryptHub alias for uncovering and reporting two significant security vulnerabilities in Windows. This acknowledgment depicts a complex profile of a person straddling a legitimate cybersecurity career while engaging in cybercriminal activities.
According to a detailed analysis by Outpost24 KrakenLabs, the individual behind EncryptHub, who fled Kharkov, Ukraine, nearly a decade ago, is now believed to reside close to the Romanian coast. Their discoveries include vulnerabilities attributed to the alias “SkorikARI,” a name linked to EncryptHub, both of which were addressed in Microsoft’s recent Patch Tuesday update.
The flaws identified are CVE-2025-24061 (CVSS score: 7.8), a security feature bypass within Windows Mark-of-the-Web, and CVE-2025-24071 (CVSS score: 6.5), which allows file explorer spoofing. EncryptHub, also referred to as LARVA-208 and Water Gamayun, previously gained attention in mid-2024 for a campaign that utilized a fake WinRAR site to spread malware hosted on a GitHub repository named “encrypthub.”
In recent developments, EncryptHub has been linked to exploiting a zero-day vulnerability in Microsoft Management Console, identified as CVE-2025-26633, which enabled the deployment of information stealers and backdoors. This campaign has reportedly compromised over 618 high-value targets across various sectors in the nine months leading up to fall 2025, according to cybersecurity firm PRODAFT.
Lidia Lopez, a Senior Threat Intelligence Analyst at Outpost24, indicated that the evidence suggests the actions of a singular individual, although potential collaboration with other actors cannot be completely ruled out. One instance showing administrative privileges on a monitored Telegram channel hints at possible outside assistance.
The individual maintained a discreet profile while likely pursuing self-directed studies in computer science. However, their cyber activities dwindled notably at the start of the Russo-Ukrainian conflict in early 2022, with indications they may have briefly faced incarceration during that period. Following their release, they attempted to pivot to web and app development, establishing a freelance presence, although financial inadequacy led them back into cybercrime initiatives in early 2024.
One of EncryptHub’s initial forays into cybercrime was with a malware dubbed Fickle Stealer, which made its debut in June 2024. This malware, constructed using Rust, was reported to bypass sophisticated antivirus solutions. A recent discussion with a security researcher revealed that EncryptHub leverages tools like OpenAI’s ChatGPT for malware development as well as for translating communications.
As highlighted by Lopez, the case of EncryptHub underscores the vulnerability of cybercriminals due to operational security failures. Despite some level of technical talent, fundamental errors—such as password reuse, exposed infrastructure, and a fusion of personal and criminal activities—ultimately contributed to their exposure.
