296/68 Monday, August 18, 2025
Researchers from Trustwave SpiderLabs have issued a warning regarding a new attack campaign by the threat group EncryptHub (also known as LARVA-208 or Water Gamayun). The group is leveraging the CVE-2025-26633 vulnerability, also known as “MSC EvilTwin,” found in Microsoft Management Console (MMC), in combination with social engineering tactics to distribute malware. Attackers send spoofed .msc files to trick victims into opening them, which allows remote command execution and evasion of Windows security mechanisms. While Microsoft has released a patch, active exploitation of the flaw has been observed across several organizations worldwide.
The campaign begins with attackers posing as IT support staff and sending fake messages through Microsoft Teams, convincing users to run a PowerShell script that downloads runner.ps1. This script then drops two fake .msc files exploiting the MSC EvilTwin flaw, causing mmc.exe to launch malicious files instead of legitimate ones. It subsequently retrieves and executes build.ps1, a script designed to steal information, establish persistence, and communicate with a C2 (Command-and-Control) server using AES-encrypted commands. The campaign also deploys a malware known as Fickle Stealer.
EncryptHub has also developed new tools such as SilentCrystal, a loader written in Golang that uses Brave Support as a payload host and creates fake Windows folders to evade detection. Another component includes a Golang SOCKS5 backdoor that sends data via Telegram and supports TLS-encrypted C2 communications. Additionally, the group created a fake video platform named RivaTalk as a decoy for malware distribution. The installer uses DLL side-loading through legitimate Symantec files.
Experts warn that EncryptHub poses a sophisticated and well-resourced threat. Organizations are urged to apply the latest security patches, monitor for unusual behavior, and implement multi-layered defenses, along with conducting user awareness training to recognize social engineering attacks.
