Newly emergent threat actor EncryptHub, also known as Larva-208 or Water Gamayun, has targeted Windows systems in intrusions leveraging the recently patched Microsoft Management Console zero-day vulnerability, tracked as CVE-2025-26633, reports BleepingComputer.
Exploitation of the flaw, also dubbed as MSC EvilTwin, via manipulated .msc files and the Multilingual User Interface Path allowed EncryptHub to facilitate the deployment of several malicious payloads, including the PowerShell-baseed MSC EvilTwin trojan loader, the EncryptHub, Stealc, and Rhadamanthys infostealers, and the DarkWisp and SilentPrism backdoors, according to an analysis from Trend Micro. "This campaign is under active development; it employs multiple delivery methods and custom payloads designed to maintain persistence and steal sensitive data, then exfiltrate it to the attackers' command-and-control (C&C) servers," said Trend Micro researchers, who discovered an iteration of the attack method leveraged last April. Such findings come after at least 618 organizations around the world were reported by PRODAFT to have been compromised by EncryptHub.
