CyberSecurity news

FlagThis - #encrypthub

@cyberpress.org //

EncryptHub Ransomware Operators Exposed Due to OPSEC Error - EncryptHub, a cybercriminal group known for ransomware, was exposed due to OPSEC blunders and its use of ChatGPT for malware development.
EncryptHub, an up-and-coming cybercriminal group known for its ransomware operations and data theft, has been exposed due to a series of operational security (OPSEC) blunders and its reliance on ChatGPT. This threat actor, which has been rapidly expanding its operations, has been linked to over 600 ransomware and infostealer attacks globally. Researchers have gained unprecedented insights into EncryptHub's tactics, techniques, and procedures (TTPs) due to these failures, offering a clearer picture of the individual or group behind the malicious activities.

One of the key mistakes made by EncryptHub was enabling directory listings on their servers, which exposed sensitive malware configuration files. They also reused passwords across multiple accounts and left Telegram bot configurations used for data exfiltration accessible. These OPSEC errors allowed researchers to uncover vital details about their infrastructure and campaigns, including the mapping of their attack chain. The exposure of unprotected stealer logs stored alongside malware executables further aided the investigation.

A unique aspect of EncryptHub's operations is its extensive use of ChatGPT as a development assistant. The AI chatbot was used to create malware components, configure command-and-control (C2) servers, develop phishing sites, and draft posts for underground forums. EncryptHub also leveraged ChatGPT for vulnerability research, even exploiting vulnerabilities they had previously reported under an alias. This reliance on AI, coupled with their OPSEC failures, ultimately led to their exposure and provides insight into the evolving landscape of cybercrime.

Recommended read:
References :
@cyberalerts.io //

EncryptHub Cybercriminal Operations Exposed and Credited - Microsoft credited EncryptHub, a cybercriminal, for disclosing Windows vulnerabilities, highlighting the complex relationship between cybercrime and security improvements.
Microsoft has publicly credited EncryptHub, a cybercriminal actor linked to over 618 breaches, for disclosing vulnerabilities in Windows. This revelation highlights the complex and often contradictory nature of modern cybersecurity, where a known threat actor can also contribute to improving system security. The vulnerabilities reported by EncryptHub, tracked under the alias "SkorikARI with SkorikARI," included a Mark-of-the-Web security feature bypass (CVE-2025-24061) and a File Explorer spoofing vulnerability (CVE-2025-24071), both of which were patched in Microsoft's latest Patch Tuesday update.

Outpost24 KrakenLabs, a Swedish security company, has been investigating EncryptHub, unmasking details about their operations, infrastructure, and the mistakes that led to their exposure. These operational security (OPSEC) failures, combined with the actor's reliance on ChatGPT, allowed researchers to gain unprecedented insights into their tactics, techniques, and procedures (TTPs). EncryptHub's activities have been traced back to a lone wolf actor who allegedly fled Ukraine for Romania, seeking computer-related jobs while studying computer science through online courses. EncryptHub compromised 618+ targets using Microsoft flaws and custom malware after failed freelance attempts.

EncryptHub's reliance on ChatGPT as a development assistant is a notable aspect of their operations. The AI chatbot was used to create malware components, configure command-and-control (C2) servers, develop phishing sites, and even draft posts for underground forums. In one instance, EncryptHub used ChatGPT to draft posts selling exploits for vulnerabilities they had previously reported under an alias to Microsoft’s Security Response Center (MSRC). The actor’s most recent exploit, CVE-2025-26633 (aka MSC EvilTwin), targeted the Microsoft Management Console to deliver info stealers and zero-day backdoors. Despite EncryptHub's technical capabilities, their operational sloppiness, including self-infections and reused credentials, ultimately led to their exposure.

Recommended read:
References :
  • thehackernews.com: Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws
  • Cyber Security News: ChatGPT Clues and OPSEC Errors Expose EncryptHub Ransomware Operators
  • Sam Bent: Microsoft Publicly Credits Hacker Behind 618+ Attacks—EncryptHub Exposed as Dual-Use Operator
  • gbhackers.com: EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures
  • DataBreaches.Net: Unmasking EncryptHub: Help from ChatGPT & OPSEC blunders
  • Cyber Security News: has been exposed due to a series of operational security failures and unconventional use of AI tools.
  • BleepingComputer: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
  • ciso2ciso.com: The controversial case of the threat actor EncryptHub – Source: securityaffairs.com
  • securityaffairs.com: The controversial case of the threat actor EncryptHub
  • ciso2ciso.com: The controversial case of the threat actor EncryptHub – Source: securityaffairs.com
  • bsky.app: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
  • BleepingComputer: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
  • Techzine Global: EncryptHub plays dual role as cybercriminal and Windows researcher
  • The DefendOps Diaries: Decrypting EncryptHub: A Cybersecurity Enigma
  • bsky.app: BSky post about EncryptHub's dual life as a cybercriminal and Windows bug bounty researcher
  • www.bleepingcomputer.com: EncryptHub's dual life: Cybercriminal vs Windows bug-bounty researcher
  • www.scworld.com: Report: EncryptHub moonlighting in vulnerability research
  • Anonymous ???????? :af:: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
  • BleepingComputer: EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
@The DefendOps Diaries //

Water Gamayun Abuses Zero-Day for Code Execution - Water Gamayun, a suspected Russian threat actor, abuses a zero-day vulnerability in Microsoft Management Console (CVE-2025-26633) to execute malicious code using sophisticated delivery methods and custom payloads, including backdoors and stealers.
A Russian threat actor, known as Water Gamayun or EncryptHub, is actively exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework, identified as CVE-2025-26633. This flaw, dubbed MSC EvilTwin, enables attackers to execute malicious code on infected Windows systems. The attackers manipulate .msc files and the MMC's Multilingual User Interface Path (MUIPath) to bypass security features and deploy various malicious payloads.

Water Gamayun employs sophisticated delivery methods, including provisioning packages, signed MSI files, and Windows MSC files. The group's arsenal includes custom backdoors like SilentPrism and DarkWisp, as well as variants of the EncryptHub Stealer, Stealc, and Rhadamanthys. These payloads are designed to maintain persistence, steal sensitive data, and exfiltrate it to command-and-control servers, using encrypted channels and anti-analysis techniques. Organizations can protect themselves through up-to-date patch management and advanced threat detection technologies.

Recommended read:
References :
  • www.cybersecuritydive.com: Russian threat actor weaponized Microsoft Management Console flaw
  • www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
  • iHLS: A threat actor is leveraging a zero-day vulnerability in the Microsoft Management Console (MMC) to distribute malware.
  • Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console.
  • doublepulsar.com: Bleeping Computer reports on claims of a breach of Oracle Cloud federated SSO login servers.
  • www.cybersecuritydive.com: Confirmation of patient data stolen in alleged cloud breach.
  • www.healthcareitnews.com: Reports indicate Oracle Health customers received a letter about a data compromise.
  • Techzine Global: Oracle acknowledged the breach related to their health tech division.
  • www.cybersecuritydive.com: Security firms brace for impact of potential Oracle Cloud breach
  • DataBreaches.Net: Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service
  • infosec.exchange: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on.
  • Risky Business Media: Risky Bulletin: Oracle's healthtech division hacked, customers extorted
  • aboutdfir.com: Oracle Health breach compromises patient data at US hospitals A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. Oracle Health has not yet publicly disclosed the incident, but in private communications sent to impacted customers and from conversations with those involved, BleepingComputer confirmed […] The post appeared first on .
  • techcrunch.com: Oracle under fire for its handling of separate security incidents
  • techxplore.com: Oracle warns health customers of patient data breach
  • The Register - Security: 1990s incident response in 2025 Two Oracle data security breaches have been reported in the past week, and the database goliath not only remains reluctant to acknowledge the disasters publicly – it may be scrubbing the web of evidence, too.…
  • www.csoonline.com: Oracle’s healthcare subsidiary, Oracle Health, has suffered a data breach, potentially exposing customers’ sensitive data, the company told some of its customers.
  • SiliconANGLE: Oracle denies cloud breach, while researchers point to credible indicators
  • Danny Palmer: NEW: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on. Both public and employees are confused at this point, as there is little transparency. Here's a recap of what's happening.
@The DefendOps Diaries //

EncryptHub Exploits Microsoft MMC Zero-Day - EncryptHub, linked to RansomHub, exploited a zero-day vulnerability (CVE-2025-26633) in Microsoft Management Console (MMC) to execute malicious code, compromising systems by tricking users into opening malicious files.
EncryptHub, a group linked to RansomHub, has been identified as the actor exploiting a zero-day vulnerability in Microsoft Management Console (MMC). Tracked as CVE-2025-26633, this flaw allows attackers to bypass security features and execute malicious code on vulnerable Windows systems. The vulnerability stems from improper input sanitization within MMC, a core administrative tool. Attackers are leveraging this flaw through email and web-based attacks, delivering malicious payloads to unsuspecting users, bypassing Windows file reputation protections.

The exploit, dubbed 'MSC EvilTwin', manipulates .msc files and the Multilingual User Interface Path (MUIPath) to execute malicious payloads, maintain persistence, and steal sensitive data. Specifically, attackers create two .msc files with the same name, a clean one and a malicious counterpart. When the legitimate file is run, MMC inadvertently picks the rogue file from a directory named "en-US" and executes it, unbeknownst to the user. This sophisticated technique allows EncryptHub to deploy various malware families, including Rhadamanthys and StealC, information stealers which pose a severe risk to affected organizations.

Recommended read:
References :
  • The DefendOps Diaries: Understanding the CVE-2025-26633 Vulnerability in Microsoft Management Console
  • www.trendmicro.com: Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
  • Cyber Security News: Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code
  • BleepingComputer: A threat actor known as EncryptHub has been linked to Windows zero-day attacks exploiting a Microsoft Management Console vulnerability patched this month.
  • gbhackers.com: Windows MMC Framework Zero-Day Exploited to Execute Malicious Code
  • www.scworld.com: Windows-targeted EncryptHub attacks involve MMC zero-day exploitation
  • bsky.app: EncryptHub, an affiliate of RansomHub, was behind recent MMC zero-day patched this month by Microsoft
  • The Hacker News: EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware
  • Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
  • www.cybersecuritydive.com: A threat actor known as “EncryptHub” began exploiting the zero-day vulnerability before it was patched earlier this month.
  • : Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
  • www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
  • Christoffer S.: (trendmicro.com) A Deep Dive into Water Gamayun's Arsenal and Infrastructure Executive Summary: This research provides a comprehensive analysis of Water Gamayun (also known as EncryptHub and Larva-208), a suspected Russian threat actor exploiting the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) in Microsoft Management Console.
  • Cyber Security News: Zero-Day in Windows MMC Framework Exploited for Malicious Code Execution
  • Know Your Adversary: Adversaries always need to execute commands via various command and scripting interpreters. It's a well-known behavior, so they always look for defense evasion techniques. Trend Micro releleased a on Water Gamayun , and noted an interesting technique used by the threat acrors for proxy execution.
Deeba Ahmed@hackread.com //

Android Malware Leverages Microsoft's .NET MAUI Framework - New Android malware campaigns exploit Microsoft’s .NET MAUI framework, disguising themselves as legitimate apps to steal sensitive information, targeting users particularly in India and China.
A new wave of Android malware campaigns are exploiting Microsoft’s .NET MAUI framework to target users, particularly in India and China. Cybersecurity researchers at McAfee Labs have identified these malicious applications, which disguise themselves as legitimate services like banking and social media apps, to steal sensitive user information. These fake apps, collectively codenamed FakeApp, are not distributed through official channels like Google Play, but rather through bogus links sent via messaging apps and unofficial app stores. .NET MAUI, designed as a cross-platform development framework, allows these threats to conceal malicious code, making them difficult to detect by traditional antivirus solutions.

Researchers have found that the malware's core functionalities are written entirely in C# and stored as binary large objects, evading detection methods that typically analyze DEX files or native libraries. For instance, a fraudulent banking app impersonates IndusInd Bank, targeting Indian users by prompting them to enter personal and financial details, which are then sent to the attacker's command-and-control server. Another instance involves a fake social networking service app aimed at Chinese-speaking users, employing multi-stage dynamic loading to decrypt and execute its payload in separate stages, further complicating analysis and disrupting security tools.

Recommended read:
References :
  • hackread.com: Hackers Are Using Microsoft’s .NET MAUI to Spread Android Malware
  • securityaffairs.com: Android malware campaigns use .NET MAUI to evade detection
  • The DefendOps Diaries: Understanding the Threat: How .NET MAUI is Changing Android Malware
  • thehackernews.com: Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps
  • www.infosecurity-magazine.com: New Android Malware Uses .NET MAUI to Evade Detection
  • securityonline.info: New Android Malware Campaign Uses .NET MAUI to Evade Detection
  • Security Risk Advisors: 🚩New Android Malware Campaign Exploits .NET MAUI Framework to Steal Sensitive Data
  • MSSP feed for Latest: Threat actors exploited Microsoft's .NET MAUI cross-platform development framework to craft fake apps in new Android malware campaigns.
  • Virus Bulletin: McAfee's Mobile Research Team discovered an Android malware campaign abusing .NET MAUI, a cross-platform development framework, to evade detection and remain active on devices for a long time.
  • BleepingComputer: New Android malware campaigns use Microsoft's cross-platform framework .NET MAUI while disguising as legitimate services to evade detection.
  • Security | TechRepublic: Android Malware Exploits a Microsoft-Related Security Blind Spot to Avoid Detection
Swagta Nath@The420.in //

EncryptHub Breaches 618 Orgs, Deploys Ransomware and Stealers - The EncryptHub cybercrime group has breached 618 organizations since June 2024, deploying infostealers and ransomware via spear-phishing attacks.
The cybercriminal group EncryptHub, also known as LARVA-208, has successfully breached 618 organizations globally since June 2024. The group utilizes sophisticated social engineering techniques, including spear-phishing, to steal credentials and deploy ransomware on corporate networks. The attacks are designed to compromise systems and steal sensitive information, showcasing a high level of sophistication and a clear focus on targeting businesses worldwide.

LARVA-208's methods involve impersonating IT personnel and deceiving employees into divulging VPN credentials or installing remote management software. They have also been observed registering domain names mimicking popular VPN services to enhance the credibility of their phishing campaigns. After gaining access, the group deploys custom-developed PowerShell scripts to install information-stealing malware and ransomware, encrypting files on compromised systems and demanding cryptocurrency payments via ransom notes left on the victim device.

Recommended read:
References :
  • gbhackers.com: GBHackers article about LARVA-208 Hackers Compromise 618 Organizations Stealing Logins and Deploying Ransomware
  • Talkback Resources: TalkBack describes EncryptHub Exposed: 600+ Targets Hit by LARVA-208
  • The420.in: The420 article about EncryptHubTargets 618 Organizations with Phishing and Ransomware Attacks
  • bsky.app: A threat actor tracked as 'EncryptHub,' aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks.
  • bsky.app: A threat actor tracked as 'EncryptHub,' aka Larva-208,  has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks.

Posts

Blogs

Research Tools