EncryptHub Exploits Zero-Day Flaw in Windows to Deploy Diverse Malware

Article Highlights
Off On

The recent activities of EncryptHub, a notorious threat actor, have sparked significant concerns among cybersecurity professionals as they exploit a zero-day vulnerability in Microsoft Windows to deploy a variety of malware. EncryptHub has been leveraging CVE-2025-26633, a critical vulnerability in Microsoft Management Console (MMC), to bypass local security features, maintain persistence, and steal sensitive data from compromised systems. This vulnerability, which Microsoft recently patched, has a CVSS score of 7.0, indicating its high severity. The extent and sophistication of EncryptHub’s methods highlight the persistent nature of their operations and the importance of maintaining stringent cybersecurity protocols.

Exploitation Techniques and Methods

EncryptHub exploits the MMC vulnerability through innovative techniques such as the manipulation of .msc files and the Multilingual User Interface Path (MUIPath). The method known as MSC EvilTwin involves creating two .msc files with identical names—one benign and the other malicious. By placing the malicious file in an “en-US” directory, the MMC inadvertently executes it, thus initiating the malware deployment. This tactic illustrates EncryptHub’s deep understanding of Windows internals and their ability to exploit them ingeniously.

In addition to the MSC EvilTwin method, EncryptHub also employs other sophisticated techniques for delivering their malicious payloads. One such method involves using MMC’s ExecuteShellCommand to fetch and run the next-stage payload. Another technique makes use of mock directories like “C:Windows System32” with a trailing space after “Windows,” allowing the bypass of User Account Control (UAC) and the deployment of malicious .msc files. These methods represent a multi-faceted approach to ensure persistence and the execution of malicious code on target systems, illustrating EncryptHub’s versatility and strategic planning in cybersecurity attacks.

Deployment of Malware and Payloads

Trend Micro’s research expounds on how EncryptHub uses digitally-signed Microsoft installer (MSI) files designed to mimic legitimate Chinese software such as DingTalk or QQTalk. These files kickstart the attack chain by downloading the necessary loader from a remote server. Once the loader is in place, the attackers can deploy and execute their malicious payloads, further compromising the target systems. The use of signed MSI files emphasizes EncryptHub’s sophistication in ensuring their malware appears legitimate and is less likely to raise suspicions during initial execution.

This active campaign by EncryptHub is notable for its continuous development, showcasing a proficient threat actor adept at employing multiple delivery methods tailored to different scenarios. The malware distributed by EncryptHub includes a variety of custom payloads, such as EncryptHub Stealer, and backdoors named DarkWisp and SilentPrism. These variants, consolidated under the name EncryptRAT by Outpost24, are designed to steal sensitive data and maintain a foothold within compromised networks. The evolving tactics, techniques, and procedures (TTPs) of EncryptHub underscore their intent and capability to adapt swiftly to new vulnerabilities and environments.

Continued Evolution and Countermeasures

Dustin Childs from Trend Micro Zero Day Initiative (ZDI) highlights that EncryptHub has been experimenting and refining these techniques since the beginning of the year. This persistent evolution of strategies reflects the group’s resilience and sophisticated approach to exploiting vulnerabilities. The research indicates a threat actor that is not just capable but dedicated to continuously improving their methods to maximize the impact of their attacks and avoid detection.

The detailed exploration of EncryptHub’s operations underscores the critical need for vigilant cybersecurity measures. Organizations must prioritize timely patching of vulnerabilities, implementing robust monitoring systems, and educating employees about potential phishing attacks to safeguard against such advanced persistent threats. Cybersecurity professionals should remain informed about the latest threat intelligence and ensure their defenses are adaptive to the ever-changing landscape of cyber threats.

Future Considerations

The recent activities of EncryptHub, a well-known threat actor, have raised significant concerns among cybersecurity experts as they exploit a zero-day vulnerability in Microsoft Windows to deploy various forms of malware. EncryptHub has been taking advantage of CVE-2025-26633, a critical vulnerability in Microsoft Management Console (MMC), allowing them to bypass local security measures, maintain persistence, and steal sensitive data from compromised systems. This vulnerability, which has just been patched by Microsoft, has a CVSS score of 7.0, indicating its high severity. The sophistication and extent of EncryptHub’s tactics underscore the ongoing threat they pose and stress the critical need for stringent cybersecurity protocols. Cybersecurity professionals urge organizations to update their systems immediately and remain vigilant against such invasive threats. This scenario emphasizes the ongoing battle between cyber attackers and defenders, with the security landscape constantly evolving to address new vulnerabilities and tactics.

Explore more

Can AI Redefine C-Suite Leadership with Digital Avatars?

I’m thrilled to sit down with Ling-Yi Tsai, a renowned HRTech expert with decades of experience in leveraging technology to drive organizational change. Ling-Yi specializes in HR analytics and the integration of cutting-edge tools across recruitment, onboarding, and talent management. Today, we’re diving into a groundbreaking development in the AI space: the creation of an AI avatar of a CEO,

Cash App Pools Feature – Review

Imagine planning a group vacation with friends, only to face the hassle of tracking who paid for what, chasing down contributions, and dealing with multiple payment apps. This common frustration in managing shared expenses highlights a growing need for seamless, inclusive financial tools in today’s digital landscape. Cash App, a prominent player in the peer-to-peer payment space, has introduced its

Scowtt AI Customer Acquisition – Review

In an era where businesses grapple with the challenge of turning vast amounts of data into actionable revenue, the role of AI in customer acquisition has never been more critical. Imagine a platform that not only deciphers complex first-party data but also transforms it into predictable conversions with minimal human intervention. Scowtt, an AI-native customer acquisition tool, emerges as a

Hightouch Secures Funding to Revolutionize AI Marketing

Imagine a world where every marketing campaign speaks directly to an individual customer, adapting in real time to their preferences, behaviors, and needs, with outcomes so precise that engagement rates soar beyond traditional benchmarks. This is no longer a distant dream but a tangible reality being shaped by advancements in AI-driven marketing technology. Hightouch, a trailblazer in data and AI

How Does Collibra’s Acquisition Boost Data Governance?

In an era where data underpins every strategic decision, enterprises grapple with a staggering reality: nearly 90% of their data remains unstructured, locked away as untapped potential in emails, videos, and documents, often dubbed “dark data.” This vast reservoir holds critical insights that could redefine competitive edges, yet its complexity has long hindered effective governance, making Collibra’s recent acquisition of