Recent revelations indicate that the threat actor identified as EncryptHub has effectively taken advantage of a recently patched security vulnerability in Microsoft Windows, designated as a zero-day flaw, to deploy a range of malicious software. This includes information-stealing tools like Rhadamanthys and StealC, alongside traditional backdoor implementations, raising significant alarm among cybersecurity professionals.
The attack strategy employed by EncryptHub involves the manipulation of Microsoft Management Console (.msc) files and the Multilingual User Interface Path (MUIPath) to facilitate the download and execution of harmful payloads. This approach not only maintains persistent access to compromised systems but also enables the exfiltration of sensitive data, as highlighted by Trend Micro researcher Aliakbar Zahravi in his detailed analysis of the incident.
The vulnerability in question, known as CVE-2025-26633, received a CVSS score of 7.0. Microsoft describes it as an improper neutralization vulnerability within the MMC framework that risks allowing local security feature bypassing. This critical vulnerability was rectified in a Patch Tuesday update released earlier this month, underscoring the urgency for organizations to remain vigilant regarding security updates.
Trend Micro has categorized the exploit under the name MSC EvilTwin, associating it with a suspected group of Russian cyber actors labeled Water Gamayun. EncryptHub, which has been under scrutiny in analyses conducted by firms such as PRODAFT and Outpost24, is also referenced by its alternate identifier, LARVA-208.
At its core, CVE-2025-26633 exploits the MMC environment to execute malicious .msc files through a specially crafted PowerShell loader termed the MSC EvilTwin loader. The process is particularly egregious, as it involves creating two .msc files that share the same name: one file is benign, while the other, sinister counterpart is placed in a directory named “en-US.” When the clean file is executed, it inadvertently triggers the malicious variant due to the MUIPath oversight.
Zahravi further elucidates that attackers are leveraging the MUIPath’s improper usage to load malicious files under the guise of genuine ones, thereby executing them without the user’s consent. This sophisticated manipulation showcases a blend of initial access techniques and persistence tactics typical of advanced threat actor methodologies.
Additionally, EncryptHub’s activities have revealed the adoption of other strategies to deploy malicious payloads via .msc files. These methods include utilizing the ExecuteShellCommand feature of the MMC to download payloads directly onto the victim’s machine, a tactic documented by cybersecurity experts in previous reports. Another approach involves dropping malicious files in “mock trusted directories,” such as a cleverly named “C:\Windows \System32,” bypassing User Account Control (UAC) to facilitate a silent install of harmful software.
Dustin Childs, Head of Threat Awareness at Trend Micro’s Zero Day Initiative, noted that EncryptHub has crafted several distinct malware variants, among them EncryptHub Stealer, alongside two identified backdoors known as DarkWisp and SilentPrism. All of these components have been grouped under the overarching name EncryptRAT by Outpost24.
The initial stages of attacks leveraging this security flaw may involve unsuspecting users downloading seemingly legitimate digitally-signed Microsoft installer (MSI) files, which mimic popular Chinese applications like DingTalk or QQTalk. These files serve as vectors to pull and execute the malicious loader from remote servers. It’s reported that EncryptHub has been refining these tactics since April 2024.
In summary, this campaign illustrates a sophisticated threat landscape characterized by evolving delivery methods and custom payloads designed to establish persistence, extract sensitive information, and transfer that data to the attackers’ command-and-control servers. As organizations navigate this increasingly complex cybersecurity environment, the need for proactive measures and comprehensive security strategies becomes ever more critical to safeguard sensitive data against such persistent threats.
