A recently patched security vulnerability in Microsoft Windows has been exploited by the threat actor known as EncryptHub, allowing the delivery of various malware families, including backdoors and data stealers like Rhadamanthys and StealC. This attack utilizes the zero-day vulnerability identified as CVE-2025-26633, which received a CVSS score of 7.0, indicating its severity and the potential risk it poses to users.
In an analysis by Trend Micro, researcher Aliakbar Zahravi detailed the techniques employed by EncryptHub. The adversary manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download malicious payloads, creating a pathway for Persistent threats that can compromise sensitive data without users’ awareness. This exploit predominantly circumvents critical security features in Microsoft Management Console (MMC), enabling attackers to execute harmful commands locally.
Trend Micro attributes the exploit to a Russian activity cluster dubbed ‘Water Gamayun,’ as its analysts have been actively monitoring this group for suspicious activities related to malware deployment. The company has labeled this specific attack method as ‘MSC EvilTwin.’ The exploit works by creating two .msc files that share the same name—one legitimate and one malicious, ensuring the latter is executed covertly by the MMC when the original is invoked.
Furthermore, researchers noted other methods used by EncryptHub to facilitate the execution of their malicious payloads. This includes leveraging the ExecuteShellCommand function of MMC, as well as utilizing deceptive directory names to bypass User Account Control (UAC) mechanisms. There is an alarming trend of using well-recognized digital signatures to masquerade harmful installations as legitimate software offerings, which has been a favored tactic since April 2024.
As the threat landscape continues to evolve, the tactics of EncryptHub highlight the necessity for active cybersecurity measures. Users are urged to remain informed about the latest vulnerabilities and ensure their systems are updated in accordance with security patches to mitigate risks associated with such sophisticated attacks.