EncryptHub gang actively exploiting Microsoft Management Console vulnerability
Take action: If you needed another good reason to update your Windows, how about hackers really exploiting the unpatched flaws to steal your data, credentials and to lurk in your computers? Don't delay, press Update, go for a coffee.
Learn More
A threat actor identified as EncryptHub (also known as Water Gamayun or Larva-208) has been connected to Windows zero-day attacks that exploit a Microsoft Management Console vulnerability patched during this month's Patch Tuesday update.
The vulnerability is tracked as CVE-2025-26633 (MSC EvilTwin) is a security feature bypass vulnerability in how MSC files are handled on Windows systems, allowing attackers to evade Windows file reputation protections and execute code without warning users before loading unexpected MSC files.
According to Microsoft's advisory, attackers can exploit this vulnerability through email-based attacks by sending specially crafted files and convincing users to open them. Web-based attack scenarios are also possible, where attackers host malicious content on websites or compromise legitimate sites to deliver the exploit.
The threat actors manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payloads, maintain persistence, and steal sensitive data from infected systems. Trend Micro researchers observed these attacks before reporting the flaw to Microsoft and noted that the campaign is under active development.
Throughout this campaign, EncryptHub has deployed multiple malicious payloads including:
- EncryptHub stealer
- DarkWisp backdoor
- SilentPrism backdoor
- Stealc
- Rhadamanthys stealer
- PowerShell-based MSC EvilTwin trojan loader
Users are advised to update their Windows systems ASAP and be very careful about attachments.
