The threat actor known as EncryptHub is continuing to exploit a now-patched security flaw impacting Microsoft Windows to deliver malicious payloads.
Trustwave SpiderLabs said it recently observed an EncryptHub campaign that brings together social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger the infection routine via a rogue Microsoft Console (MSC) file.
"These activities are part of a broad, ongoing wave of malicious activity that blends social engineering with technical exploitation to bypass security defenses and gain control over internal environments," Trustwave researchers Nathaniel Morales and Nikita Kazymirskyi said.
EncryptHub, also tracked as LARVA-208 and Water Gamayun, is a Russian hacking group that first gained prominence in mid-2024. Operating at a high tempo, the financially motivated crew is known for leveraging several methods, including fake job offers, portfolio review, and even compromising Steam games, to infect targets with stealer malware.
The threat actor's abuse of CVE-2025-26633 was previously documented by Trend Micro in March 2025, uncovering attacks that deliver two backdoors called SilentPrism and DarkWisp.
The latest attack sequence involves the threat actor claiming to be from the IT department and sending a Microsoft Teams request to the target with the goal of initiating a remote connection and deploying secondary payloads by means of PowerShell commands.
Among the files dropped are two MSC files with the same name, one benign and the other malicious, that's used to trigger CVE-2025-26633, ultimately resulting in the execution of the rogue MSC file when its innocuous counterpart is launched.
The MSC file, for its part, fetches and executes from an external server another PowerShell script that collects system information, establishes persistence on the host, and communicates with an EncryptHub command-and-control (C2) server to receive and run malicious payloads, including a stealer called Fickle Stealer.
"The script receives AES-encrypted commands from the attacker, decrypts them, and runs the payloads directly on the infected machine," the researchers said.
Also deployed by the threat actor over the course of the attack is a Go-based loader codenamed SilentCrystal, which abuses Brave Support, a legitimate platform associated with the Brave web browser, to host next-stage malware – a ZIP archive containing the two MSC files to weaponize CVE-2025-26633.
What makes this significant is that uploading file attachments on the Brave Support platform is restricted for new users, indicating that the attackers somehow managed to obtain unauthorized access to an account with upload permissions to pull off the scheme.
Some of the other tools deployed include a Golang backdoor that operates in both client and server mode to send system metadata to the C2 server, as well as set up C2 infrastructure by making use of the SOCKS5 proxy tunneling protocol.
There is also evidence that the threat actors are continuing to rely on videoconferencing lures, this time setting up phony platforms like RivaTalk to deceive victims into downloading an MSI installer.
Running the installer leads to the delivery of several files: the legitimate Early Launch Anti-Malware (ELAM) installer binary from Symantec that's used to sideload a malicious DLL that, in turn, launches a PowerShell command to download and run another PowerShell script.
It's engineered to gather system information and exfiltrate it to the C2 server, and await encrypted PowerShell instructions that are decoded and executed to give attackers full control of the system. The malware also displays a fake "System Configuration" pop-up message as a ruse, while launching a background job to generate fake browser traffic by making HTTP requests to popular websites so as to blend C2 communications with normal network activity.
"The EncryptHub threat actor represents a well-resourced and adaptive adversary, combining social engineering, abuse of trusted platforms, and the exploitation of system vulnerabilities to maintain persistence and control," Trustwave said.
"Their use of fake video conferencing platforms, encrypted command structures, and evolving malware toolsets underscores the importance of layered defense strategies, ongoing threat intelligence, and user awareness training."
