The cyberthreat landscape continues to evolve as malicious actors develop increasingly sophisticated attack methods, with the EncryptHub threat group emerging as a particularly concerning adversary.
This emerging threat actor, also known as LARVA-208 and Water Gamayun, has been making headlines for its aggressive campaigns targeting Web3 developers and abusing legitimate platforms to deliver malicious payloads.
Recent reports indicate that 618 organizations worldwide have fallen victim to EncryptHub’s network compromises as of February 2025.
The group’s latest campaign represents a dangerous fusion of social engineering tactics and technical exploitation, specifically targeting the Microsoft Management Console through the CVE-2025-26633 vulnerability, dubbed MSC EvilTwin.
This vulnerability allows attackers to execute malicious MSC files by placing them in strategic directory locations, effectively hijacking legitimate system processes.
The attack begins with threat actors impersonating IT support staff, establishing Microsoft Teams connections with victims, and subsequently deploying malicious payloads to compromised systems.
Trustwave analysts identified this sophisticated campaign during their ongoing threat research activities, uncovering a multi-stage attack chain that combines social engineering with platform abuse.
Attack chain (Source – Trustwave)
The researchers observed attackers executing PowerShell commands to retrieve initial payloads, followed by the deployment of specialized tools designed to maintain persistent access and exfiltrate sensitive information.
What makes this campaign particularly noteworthy is the group’s innovative abuse of the Brave Support platform, a legitimate service associated with the Brave browser, to host and distribute malicious content.
The attack methodology demonstrates EncryptHub’s commitment to blending legitimate services with malicious intent, making detection significantly more challenging for traditional security solutions.
By leveraging trusted platforms like Brave Support, the group can bypass many security filters that would typically flag suspicious download sources.
This approach highlights a growing trend among cybercriminals who increasingly exploit the trust associated with legitimate platforms to facilitate their malicious activities.
Analysis of the MSC EvilTwin Exploitation
The core of EncryptHub’s attack relies on exploiting the CVE-2025-26633 vulnerability through a sophisticated file placement technique.
When victims execute the initial PowerShell command, the malware downloads and executes runner.ps1, which serves as the primary deployment mechanism for the MSC exploitation framework.
The runner.ps1 script implements a clever directory manipulation technique by creating two MSC files with identical names but placing them in different locations.
The legitimate file resides in the standard system directory, while the malicious version is strategically positioned in the MUIPath directory, specifically within the en-US folder.
This placement exploits the MSC EvilTwin vulnerability’s file loading behavior, where mmc.exe prioritizes files found in the MUIPath directory over those in standard locations.
During execution, the script dynamically modifies the malicious MSC file by replacing the “htmlLoaderUrl” placeholder with EncryptHub’s command-and-control URL.
This modification enables the MSC file to retrieve and execute subsequent payloads directly from the attacker’s infrastructure.
The process effectively transforms a legitimate system utility into a conduit for malicious code execution, demonstrating the group’s sophisticated understanding of Windows system internals and their ability to weaponize standard administrative tools for malicious purposes.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
