The only Wolf actor behind Encrypthub’s persona was recognized by Microsoft for discovering and reporting two security flaws on Windows last month, and painting a picture of a “conflicted” individual pursuing cybercrime across a legal career in cybersecurity.
Outpost24 In a new and extensive analysis published by Krakenlabs, the Swedish security company fled from Kharkov’s hometown in Ukraine about a decade ago to a new location somewhere near the Romanian coast.
The vulnerability was praised by Microsoft by a party named “Skorikari with Skorikari”. Both defects in the issue were fixed by Redmond as part of last Tuesday’s update.
CVE-2025-24061 (CVSS score: 7.8) – Microsoft Windows Mark-ofthe-Web (MOTW) Security Function Bypass Vulnerability CVE-2025-24071 (CVSS score: 6.5)
Tracked under NOMIKERS LARVA-208 and Water Gamayun, EncryptThub has lit the spotlight in mid-2024 as part of a campaign that leverages fake Winrar sites to distribute different types of malware hosted in a GitHub repository named “EncryptThub.”
In recent weeks, threat actors have been attributed to the zero-day exploitation of another security flaw in the Microsoft Management Console (CVE-2025-26633, CVSS score: 7.0, aka MSC Eviltwin), offering silent prisms and backdoors named Darkwisp, which are information stolen goods and previously undecided backdoors.
According to Prodaft, EncryptThub is estimated to have breached over 618 high-value targets across multiple industries in the last nine months of its operations.
“All data analyzed throughout the study refers to the behavior of one individual,” Lidia Lopez, senior threat intelligence analyst at Outpost24, told Hacker News.
“However, we cannot rule out the possibility of collaboration with other threat actors. One of the telegram channels used to monitor infection statistics has another telegram user with administrative privileges, suggesting potential cooperation or support from others who do not belong to a clear group.”
Outpost24 said that from “actor self-infection due to insufficient operational security practices,” to “actor self-infection,” to “actor self-infection” from “actor self-infection” to “actor self-infection” which reveals new aspects in the process.
The individual is considered inconspicuous after moving to an unspecified location near Romania, and is studying computer science on his own by enrolling in an online course, seeking computer-related work.
However, all the activities of threat actors halted suddenly in early 2022, coinciding with the start of the Russo-Ukrainian War. That said, Outpost24 said he found evidence suggesting he was imprisoned around the same time.
“Once it was released, he resumed his job hunting, this time providing freelance web and app development services. “But it is likely that his pay wasn’t enough and I believe he pivoted into cybercrime in the first half of 2024 after a temporary attempt at the bug bounty program.”
One of Enliptobu’s early ventures in the cybercrime landscape was Fickle Steeler. It was first recorded by Fortinet Fortiguard Labs in June 2024 and was recorded as rust-based information steeler malware distributed over multiple channels.
In a recent interview with security researcher G0NJXA, the threat actor argued that whims “produces results in systems where Stealc or Rhadamantys (sic) is not working,” which “passes through high-quality corporate anti-virus systems.” They also said that the steeler is not only shared personally, but also “integrating” with another product called encrypt rats.
“We were able to associate Fickle Stealer with an alias that we previously tied to Encrypthub,” says Lopez. “In addition, one of the domains linked to that campaign is consistent with the infrastructure associated with his legitimate freelance work. From the analysis, we estimate that Encrypthub’s cybercriminal activities began around March 2024.
Encrypthub is said to rely widely on Openai’s ChatGpt to help develop Malware. It has also advanced to the point of using it as a confession tool, supporting the translation of emails and messages.
“The Encrypthub case highlights that poor operational security is one of the most important weaknesses for cybercriminals,” Lopez noted. “Despite technical refinement, basic mistakes, such as password reuse, exposed infrastructure and mixing personal criminal behavior, ultimately led to his revelation.”
Source link
