A threat actor known as Encrypthub continues to provide malicious payloads by exploiting the currently maintained security flaws that affect Microsoft Windows.
TrustWave SpiderLabs said it had recently observed an enliptob campaign that links the exploitation of vulnerabilities in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC Eviltwin) to a vulnerability to trigger infection routines via Rogue Microsoft Console (MSC) files.
“These activities are part of a wide range of continuing malicious activities that bypass social engineering and security defenses and fuse technological exploitation to control the internal environment,” said Trustwave researchers Nathaniel Morales and Nikita Kazymirskyi.
Encrypthub is a Russian hacking group that was also tracked as Larva-208 and Water Gamayun and first became prominent in mid-2024. The financially motivated crew operates at a high tempo and is known for infecting targets with steeler malware, utilizing several methods, including fake job offers, portfolio reviews and even ways to compromise steam games.
The abuse of threat actor CVE-2025-26633 was previously recorded by Trend Micro in March 2025, and discovered an attack that offered two backdoors called SilentPrism and DarkWisp.
The latest attack sequence includes threat actors who claim to be from the IT department and send requests to the target with the aim of Microsoft teams launching a remote connection and deploying a secondary payload using PowerShell commands.
Inside the dropped files there are two MSC files with the same name. One is benign and malicious. This is used to trigger CVE-2025-26633, and ultimately an incorrect MSC file will be executed when the harmless counterpart is launched.
For that part, the MSC file communicates with the encrypthub command and control (C2) server to collect system information from an external server, establish host persistence, and to receive and execute a malicious payload that includes theft, known as Fickle Stealer.
“The script receives AES encrypted commands from the attacker, decrypts them, and runs the payload directly on the infected machine,” the researchers said.
Also deployed by threat actors in the course of the attack is CVE-2025-26633, which abused Brave Support, a legitimate platform associated with Brave Web Browser, a ZIP archive containing two MSC files to weaponize GO-2025-26633.
What’s important is that uploading file attachments to the brave support platform is restricted to new users, indicating that attackers somehow get unauthorized access to accounts with upload permissions to separate the scheme.
Other tools deployed include a Golang backdoor that works in both client and server modes to send system metadata to the C2 server, and sets up the C2 infrastructure using the Socks5 Proxy Tunneling protocol.
There is also evidence that threat actors continue to rely on video conferencing lures. This time, we’ll set up a fake platform like Rivatalk and download the MSI installer to deceive the victim.
Running the installer will deliver some files. Legal Early Fire Prevention Anti-Malware (ELAM) installer binaries from Symantec are used to sideload malicious dlls.
It is designed to collect system information and remove it into a C2 server, waiting for encrypted PowerShell instructions that are decoded and executed so that an attacker has full control over the system. The malware launches a background job that generates fake browser traffic by displaying fake “system configuration” pop-up messages as Ruses and creating HTTP requests on popular websites to blend C2 communications with normal network activity.
“The Enliptob threat actors represent highly resourced and adaptable enemies, combining social engineering, abuse of trustworthy platforms, and exploitation of vulnerabilities in systems to maintain sustainability and control,” Trustwave said.
“The use of fake video conferencing platforms, encrypted command structures, and evolving sets of malware tools highlights the importance of layered defense strategies, continuous threat intelligence and user cognitive training.”
Source link
