CyberSecurity news
FlagThis - #encrypthub
|
@cyberpress.org
//
EncryptHub, an up-and-coming cybercriminal group known for its ransomware operations and data theft, has been exposed due to a series of operational security (OPSEC) blunders and its reliance on ChatGPT. This threat actor, which has been rapidly expanding its operations, has been linked to over 600 ransomware and infostealer attacks globally. Researchers have gained unprecedented insights into EncryptHub's tactics, techniques, and procedures (TTPs) due to these failures, offering a clearer picture of the individual or group behind the malicious activities.
One of the key mistakes made by EncryptHub was enabling directory listings on their servers, which exposed sensitive malware configuration files. They also reused passwords across multiple accounts and left Telegram bot configurations used for data exfiltration accessible. These OPSEC errors allowed researchers to uncover vital details about their infrastructure and campaigns, including the mapping of their attack chain. The exposure of unprotected stealer logs stored alongside malware executables further aided the investigation. A unique aspect of EncryptHub's operations is its extensive use of ChatGPT as a development assistant. The AI chatbot was used to create malware components, configure command-and-control (C2) servers, develop phishing sites, and draft posts for underground forums. EncryptHub also leveraged ChatGPT for vulnerability research, even exploiting vulnerabilities they had previously reported under an alias. This reliance on AI, coupled with their OPSEC failures, ultimately led to their exposure and provides insight into the evolving landscape of cybercrime.
Share:
References :
Classification:
@cyberalerts.io
//
Microsoft has publicly credited EncryptHub, a cybercriminal actor linked to over 618 breaches, for disclosing vulnerabilities in Windows. This revelation highlights the complex and often contradictory nature of modern cybersecurity, where a known threat actor can also contribute to improving system security. The vulnerabilities reported by EncryptHub, tracked under the alias "SkorikARI with SkorikARI," included a Mark-of-the-Web security feature bypass (CVE-2025-24061) and a File Explorer spoofing vulnerability (CVE-2025-24071), both of which were patched in Microsoft's latest Patch Tuesday update.
Outpost24 KrakenLabs, a Swedish security company, has been investigating EncryptHub, unmasking details about their operations, infrastructure, and the mistakes that led to their exposure. These operational security (OPSEC) failures, combined with the actor's reliance on ChatGPT, allowed researchers to gain unprecedented insights into their tactics, techniques, and procedures (TTPs). EncryptHub's activities have been traced back to a lone wolf actor who allegedly fled Ukraine for Romania, seeking computer-related jobs while studying computer science through online courses. EncryptHub compromised 618+ targets using Microsoft flaws and custom malware after failed freelance attempts. EncryptHub's reliance on ChatGPT as a development assistant is a notable aspect of their operations. The AI chatbot was used to create malware components, configure command-and-control (C2) servers, develop phishing sites, and even draft posts for underground forums. In one instance, EncryptHub used ChatGPT to draft posts selling exploits for vulnerabilities they had previously reported under an alias to Microsoft’s Security Response Center (MSRC). The actor’s most recent exploit, CVE-2025-26633 (aka MSC EvilTwin), targeted the Microsoft Management Console to deliver info stealers and zero-day backdoors. Despite EncryptHub's technical capabilities, their operational sloppiness, including self-infections and reused credentials, ultimately led to their exposure.
Share:
References :
Classification:
@The DefendOps Diaries
//
A Russian threat actor, known as Water Gamayun or EncryptHub, is actively exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework, identified as CVE-2025-26633. This flaw, dubbed MSC EvilTwin, enables attackers to execute malicious code on infected Windows systems. The attackers manipulate .msc files and the MMC's Multilingual User Interface Path (MUIPath) to bypass security features and deploy various malicious payloads.
Water Gamayun employs sophisticated delivery methods, including provisioning packages, signed MSI files, and Windows MSC files. The group's arsenal includes custom backdoors like SilentPrism and DarkWisp, as well as variants of the EncryptHub Stealer, Stealc, and Rhadamanthys. These payloads are designed to maintain persistence, steal sensitive data, and exfiltrate it to command-and-control servers, using encrypted channels and anti-analysis techniques. Organizations can protect themselves through up-to-date patch management and advanced threat detection technologies.
Share:
References :
Classification:
|