The cyber threat landscape has been significantly impacted by the activities of EncryptHub, a Russian hacking group also known as LARVA-208 and Water Gamayun. Since mid-2024, this financially motivated collective has been orchestrating sophisticated attacks that blend social engineering tactics with technical exploits to infiltrate and control internal systems.
Exploitation of CVE-2025-26633:
A central component of EncryptHub’s strategy is the exploitation of a now-patched vulnerability in the Microsoft Management Console (MMC) framework, identified as CVE-2025-26633 and colloquially termed MSC EvilTwin. This flaw allows attackers to bypass security features and execute malicious code via manipulated Microsoft Console (MSC) files. Trustwave SpiderLabs recently observed EncryptHub leveraging this vulnerability to deploy a stealer malware known as Fickle Stealer.
Attack Methodology:
The group’s attack sequence typically unfolds as follows:
1. Impersonation and Initial Contact: Attackers pose as IT department personnel and initiate contact with targets through Microsoft Teams. This approach aims to establish trust and facilitate the next phase of the attack.
2. Deployment of Malicious MSC Files: Once communication is established, the attackers deploy two MSC files bearing identical names—one benign and the other malicious. This setup exploits the MSC EvilTwin vulnerability, causing the malicious file to execute when the benign one is launched.
3. Execution of Malicious Scripts: The rogue MSC file retrieves and executes a PowerShell script from an external server. This script performs several functions:
– System Information Collection: Gathers detailed information about the infected system.
– Persistence Establishment: Ensures the malware remains active on the host system.
– Command-and-Control Communication: Connects to EncryptHub’s command-and-control (C2) server to receive and execute additional malicious payloads, including Fickle Stealer.
Technical Details of Fickle Stealer:
Fickle Stealer is designed to extract sensitive data from compromised systems. The PowerShell script facilitating its deployment receives AES-encrypted commands from the attackers, decrypts them, and executes the payloads directly on the infected machine. This method enhances the malware’s stealth and effectiveness.
Use of SilentCrystal Loader:
In addition to Fickle Stealer, EncryptHub employs a Go-based loader named SilentCrystal. This loader exploits Brave Support, a legitimate platform associated with the Brave web browser, to host next-stage malware. Notably, uploading file attachments on Brave Support is restricted for new users, suggesting that the attackers obtained unauthorized access to an account with upload permissions to execute this scheme.
Additional Tools and Techniques:
EncryptHub’s arsenal includes a Golang backdoor capable of operating in both client and server modes. This backdoor sends system metadata to the C2 server and establishes C2 infrastructure using the SOCKS5 proxy tunneling protocol. Furthermore, the group continues to employ videoconferencing lures, creating fake platforms like RivaTalk to deceive victims into downloading malicious MSI installers.
Implications and Recommendations:
The activities of EncryptHub underscore the evolving nature of cyber threats, where attackers combine social engineering with technical exploits to achieve their objectives. Organizations are advised to implement layered defense strategies, stay informed through ongoing threat intelligence, and conduct regular user awareness training to mitigate such sophisticated attacks.
