A cyber threat actor, EncryptHub, has been linked to recent Windows zero-day attacks, exploiting a critical Microsoft Management Console (MMC) vulnerability that Microsoft patched this month.
The flaw, tracked as CVE-2025-26633 and dubbed “MSC EvilTwin,” was discovered by Trend Micro researcher Aliakbar Zahravi. It exists in how Microsoft Saved Console (MSC) files are handled, allowing attackers to bypass Windows security protections and execute malicious code without warning users.
Hackers can leverage this vulnerability to evade file reputation checks and trick users into opening malicious MSC files. Microsoft warns that attackers could exploit the flaw through phishing emails containing a specially crafted file or by hosting the malicious file on a compromised website. Once opened, the file enables hackers to execute commands, steal sensitive data, and maintain persistence on infected devices.
Trend Micro researchers discovered that EncryptHub, also known as Water Gamayun or Larva-208, had already been exploiting CVE-2025-26633 before Microsoft was notified. The group used the zero-day to execute malicious payloads such as EncryptHub Stealer, DarkWisp Backdoor, SilentPrism Backdoor, Stealc, Rhadamanthys Stealer, and the PowerShell-based MSC EvilTwin trojan loader. The attack method involves manipulating.MSC files and the Multilingual User Interface Path (MUIPath) to deploy malware and extract sensitive information. Researchers also found evidence that EncryptHub had been testing an early version of this exploit in an attack dating back to April 2024.
EncryptHub has been linked to breaches affecting at least 618 organizations worldwide. The group uses spear-phishing and social engineering tactics to gain access to corporate networks. The group is also associated with ransomware operations, deploying payloads that encrypt victims’ files after data theft. It is believed to operate as an affiliate of the RansomHub and BlackSuit ransomware gangs.
