EncryptHub Exploits Zero-Day Flaw in Windows to Deploy Diverse Malware

Article Highlights
Off On

The recent activities of EncryptHub, a notorious threat actor, have sparked significant concerns among cybersecurity professionals as they exploit a zero-day vulnerability in Microsoft Windows to deploy a variety of malware. EncryptHub has been leveraging CVE-2025-26633, a critical vulnerability in Microsoft Management Console (MMC), to bypass local security features, maintain persistence, and steal sensitive data from compromised systems. This vulnerability, which Microsoft recently patched, has a CVSS score of 7.0, indicating its high severity. The extent and sophistication of EncryptHub’s methods highlight the persistent nature of their operations and the importance of maintaining stringent cybersecurity protocols.

Exploitation Techniques and Methods

EncryptHub exploits the MMC vulnerability through innovative techniques such as the manipulation of .msc files and the Multilingual User Interface Path (MUIPath). The method known as MSC EvilTwin involves creating two .msc files with identical names—one benign and the other malicious. By placing the malicious file in an “en-US” directory, the MMC inadvertently executes it, thus initiating the malware deployment. This tactic illustrates EncryptHub’s deep understanding of Windows internals and their ability to exploit them ingeniously.

In addition to the MSC EvilTwin method, EncryptHub also employs other sophisticated techniques for delivering their malicious payloads. One such method involves using MMC’s ExecuteShellCommand to fetch and run the next-stage payload. Another technique makes use of mock directories like “C:Windows System32” with a trailing space after “Windows,” allowing the bypass of User Account Control (UAC) and the deployment of malicious .msc files. These methods represent a multi-faceted approach to ensure persistence and the execution of malicious code on target systems, illustrating EncryptHub’s versatility and strategic planning in cybersecurity attacks.

Deployment of Malware and Payloads

Trend Micro’s research expounds on how EncryptHub uses digitally-signed Microsoft installer (MSI) files designed to mimic legitimate Chinese software such as DingTalk or QQTalk. These files kickstart the attack chain by downloading the necessary loader from a remote server. Once the loader is in place, the attackers can deploy and execute their malicious payloads, further compromising the target systems. The use of signed MSI files emphasizes EncryptHub’s sophistication in ensuring their malware appears legitimate and is less likely to raise suspicions during initial execution.

This active campaign by EncryptHub is notable for its continuous development, showcasing a proficient threat actor adept at employing multiple delivery methods tailored to different scenarios. The malware distributed by EncryptHub includes a variety of custom payloads, such as EncryptHub Stealer, and backdoors named DarkWisp and SilentPrism. These variants, consolidated under the name EncryptRAT by Outpost24, are designed to steal sensitive data and maintain a foothold within compromised networks. The evolving tactics, techniques, and procedures (TTPs) of EncryptHub underscore their intent and capability to adapt swiftly to new vulnerabilities and environments.

Continued Evolution and Countermeasures

Dustin Childs from Trend Micro Zero Day Initiative (ZDI) highlights that EncryptHub has been experimenting and refining these techniques since the beginning of the year. This persistent evolution of strategies reflects the group’s resilience and sophisticated approach to exploiting vulnerabilities. The research indicates a threat actor that is not just capable but dedicated to continuously improving their methods to maximize the impact of their attacks and avoid detection.

The detailed exploration of EncryptHub’s operations underscores the critical need for vigilant cybersecurity measures. Organizations must prioritize timely patching of vulnerabilities, implementing robust monitoring systems, and educating employees about potential phishing attacks to safeguard against such advanced persistent threats. Cybersecurity professionals should remain informed about the latest threat intelligence and ensure their defenses are adaptive to the ever-changing landscape of cyber threats.

Future Considerations

The recent activities of EncryptHub, a well-known threat actor, have raised significant concerns among cybersecurity experts as they exploit a zero-day vulnerability in Microsoft Windows to deploy various forms of malware. EncryptHub has been taking advantage of CVE-2025-26633, a critical vulnerability in Microsoft Management Console (MMC), allowing them to bypass local security measures, maintain persistence, and steal sensitive data from compromised systems. This vulnerability, which has just been patched by Microsoft, has a CVSS score of 7.0, indicating its high severity. The sophistication and extent of EncryptHub’s tactics underscore the ongoing threat they pose and stress the critical need for stringent cybersecurity protocols. Cybersecurity professionals urge organizations to update their systems immediately and remain vigilant against such invasive threats. This scenario emphasizes the ongoing battle between cyber attackers and defenders, with the security landscape constantly evolving to address new vulnerabilities and tactics.

Explore more

Revolutionizing SaaS with Customer Experience Automation

Imagine a SaaS company struggling to keep up with a flood of customer inquiries, losing valuable clients due to delayed responses, and grappling with the challenge of personalizing interactions at scale. This scenario is all too common in today’s fast-paced digital landscape, where customer expectations for speed and tailored service are higher than ever, pushing businesses to adopt innovative solutions.

Trend Analysis: AI Personalization in Healthcare

Imagine a world where every patient interaction feels as though the healthcare system knows them personally—down to their favorite sports team or specific health needs—transforming a routine call into a moment of genuine connection that resonates deeply. This is no longer a distant dream but a reality shaped by artificial intelligence (AI) personalization in healthcare. As patient expectations soar for

Trend Analysis: Digital Banking Global Expansion

Imagine a world where accessing financial services is as simple as a tap on a smartphone, regardless of where someone lives or their economic background—digital banking is making this vision a reality at an unprecedented pace, disrupting traditional financial systems by prioritizing accessibility, efficiency, and innovation. This transformative force is reshaping how millions manage their money. In today’s tech-driven landscape,

Trend Analysis: AI-Driven Data Intelligence Solutions

In an era where data floods every corner of business operations, the ability to transform raw, chaotic information into actionable intelligence stands as a defining competitive edge for enterprises across industries. Artificial Intelligence (AI) has emerged as a revolutionary force, not merely processing data but redefining how businesses strategize, innovate, and respond to market shifts in real time. This analysis

What’s New and Timeless in B2B Marketing Strategies?

Imagine a world where every business decision hinges on a single click, yet the underlying reasons for that click have remained unchanged for decades, reflecting the enduring nature of human behavior in commerce. In B2B marketing, the landscape appears to evolve at breakneck speed with digital tools and data-driven tactics, but are these shifts as revolutionary as they seem? This