Windows-Targeted EncryptHub Attacks Involve MMC Zero-Day Exploitation

Newly emergent threat actor EncryptHub, also known as Larva-208 or Water Gamayun, has targeted Windows systems in intrusions leveraging the recently patched Microsoft Management Console zero-day vulnerability, tracked as CVE-2025-26633, reports BleepingComputer. Exploitation of the flaw, also dubbed as MSC EvilTwin, is accomplished via manipulated .msc files and the Multilingual User Interface Path. That allowed EncryptHub to facilitate the deployment of several malicious payloads, including the PowerShell-based MSC EvilTwin Trojan loader, the EncryptHub, Stealc, and Rhadamanthys infostealers, and the DarkWisp and SilentPrism backdoors, according to an analysis from Trend Micro. "This campaign is under active development; it employs multiple delivery methods and custom payloads designed to maintain persistence and steal sensitive data, then exfiltrate it to the attackers' command-and-control (C&C) servers," said Trend Micro researchers, who discovered an iteration of the attack method leveraged last April. Such findings come after PRODAFT reported that at least 618 organizations worldwide were compromised by EncryptHub.