CyberSecurity news
FlagThis
@cyberalerts.io
//
Microsoft has publicly credited EncryptHub, a cybercriminal actor linked to over 618 breaches, for disclosing vulnerabilities in Windows. This revelation highlights the complex and often contradictory nature of modern cybersecurity, where a known threat actor can also contribute to improving system security. The vulnerabilities reported by EncryptHub, tracked under the alias "SkorikARI with SkorikARI," included a Mark-of-the-Web security feature bypass (CVE-2025-24061) and a File Explorer spoofing vulnerability (CVE-2025-24071), both of which were patched in Microsoft's latest Patch Tuesday update.
Outpost24 KrakenLabs, a Swedish security company, has been investigating EncryptHub, unmasking details about their operations, infrastructure, and the mistakes that led to their exposure. These operational security (OPSEC) failures, combined with the actor's reliance on ChatGPT, allowed researchers to gain unprecedented insights into their tactics, techniques, and procedures (TTPs). EncryptHub's activities have been traced back to a lone wolf actor who allegedly fled Ukraine for Romania, seeking computer-related jobs while studying computer science through online courses. EncryptHub compromised 618+ targets using Microsoft flaws and custom malware after failed freelance attempts.
EncryptHub's reliance on ChatGPT as a development assistant is a notable aspect of their operations. The AI chatbot was used to create malware components, configure command-and-control (C2) servers, develop phishing sites, and even draft posts for underground forums. In one instance, EncryptHub used ChatGPT to draft posts selling exploits for vulnerabilities they had previously reported under an alias to Microsoft’s Security Response Center (MSRC). The actor’s most recent exploit, CVE-2025-26633 (aka MSC EvilTwin), targeted the Microsoft Management Console to deliver info stealers and zero-day backdoors. Despite EncryptHub's technical capabilities, their operational sloppiness, including self-infections and reused credentials, ultimately led to their exposure.
ImgSrc: blogger.googleu
References :
Outpost24 KrakenLabs, a Swedish security company, has been investigating EncryptHub, unmasking details about their operations, infrastructure, and the mistakes that led to their exposure. These operational security (OPSEC) failures, combined with the actor's reliance on ChatGPT, allowed researchers to gain unprecedented insights into their tactics, techniques, and procedures (TTPs). EncryptHub's activities have been traced back to a lone wolf actor who allegedly fled Ukraine for Romania, seeking computer-related jobs while studying computer science through online courses. EncryptHub compromised 618+ targets using Microsoft flaws and custom malware after failed freelance attempts.
EncryptHub's reliance on ChatGPT as a development assistant is a notable aspect of their operations. The AI chatbot was used to create malware components, configure command-and-control (C2) servers, develop phishing sites, and even draft posts for underground forums. In one instance, EncryptHub used ChatGPT to draft posts selling exploits for vulnerabilities they had previously reported under an alias to Microsoft’s Security Response Center (MSRC). The actor’s most recent exploit, CVE-2025-26633 (aka MSC EvilTwin), targeted the Microsoft Management Console to deliver info stealers and zero-day backdoors. Despite EncryptHub's technical capabilities, their operational sloppiness, including self-infections and reused credentials, ultimately led to their exposure.
ImgSrc: blogger.googleu
Share:
References :
- thehackernews.com: Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws
- Cyber Security News: ChatGPT Clues and OPSEC Errors Expose EncryptHub Ransomware Operators
- Sam Bent: Microsoft Publicly Credits Hacker Behind 618+ Attacks—EncryptHub Exposed as Dual-Use Operator
- gbhackers.com: EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures
- DataBreaches.Net: Unmasking EncryptHub: Help from ChatGPT & OPSEC blunders
- Cyber Security News: has been exposed due to a series of operational security failures and unconventional use of AI tools.
- BleepingComputer: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
- ciso2ciso.com: The controversial case of the threat actor EncryptHub – Source: securityaffairs.com
- securityaffairs.com: The controversial case of the threat actor EncryptHub
- ciso2ciso.com: The controversial case of the threat actor EncryptHub – Source: securityaffairs.com
- bsky.app: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
- BleepingComputer: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
- Techzine Global: EncryptHub plays dual role as cybercriminal and Windows researcher
- The DefendOps Diaries: Decrypting EncryptHub: A Cybersecurity Enigma
- bsky.app: BSky post about EncryptHub's dual life as a cybercriminal and Windows bug bounty researcher
- www.bleepingcomputer.com: EncryptHub's dual life: Cybercriminal vs Windows bug-bounty researcher
- www.scworld.com: Report: EncryptHub moonlighting in vulnerability research
- Anonymous ???????? :af:: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
- BleepingComputer: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
Classification:
- HashTags: #Ransomware #EncryptHub #Cybercrime
- Company: Multiple
- Target: Multiple Organizations
- Attacker: EncryptHub
- Feature: Ransomware
- Malware: EncryptHub
- Type: Ransomware
- Severity: Major