A Russian-linked cybercrime group known as EncryptHub has recently been exposed for using a serious Windows flaw called MSC EvilTwin to deliver malware. Security researchers revealed that the attackers are exploiting the vulnerability, identified as CVE-2025-26633, to spread a data-stealing tool named Fickle Stealer. The vulnerability allows malicious Microsoft Console (.msc) files to run in place of legitimate ones, making it a dangerous attack vector for unpatched systems.
The attack usually begins with a social engineering trick. Victims are contacted through fake IT support messages, often sent via Microsoft Teams. The attackers convince users to execute a PowerShell command that quietly drops two .msc files with the same name into different system folders. Because of the flaw, Windows executes the malicious file first, which then connects to the hackers’ remote server to download additional payloads.
Once inside, the attackers deploy Fickle Stealer, an information-stealing malware designed to harvest sensitive data. This includes details about the infected system, local files, and even cryptocurrency wallet information. The malware operates silently in the background, allowing attackers to collect valuable data without raising immediate suspicion.
Microsoft officially released a patch for the MSC EvilTwin vulnerability on March 11, 2025. Despite this, many systems around the world remain unpatched, and those are exactly the machines EncryptHub is targeting. This highlights the importance of timely updates, as even patched vulnerabilities can remain dangerous for months if organizations fail to act quickly.
Researchers also uncovered new delivery methods being used by the group. A Go-based loader known as SilentCrystal has been spotted, which mimics the earlier PowerShell technique but uses fake payloads hosted through Brave Support. This loader expands the ways attackers can deliver malware and shows how adaptable EncryptHub has become.
The group has also developed additional tools, including a Golang SOCKS5 backdoor that allows remote access to compromised systems. In one unusual move, EncryptHub even set up a fake video call service called RivaTalk to help disguise its malicious activity and maintain control over infected networks. These tactics show that the group is not only persistent but also creative in its approach.
EncryptHub, also tracked under names like Water Gamayun and LARVA-208, has been active throughout 2025. Reports suggest the group has ties to Russia, based on infrastructure and operational patterns. They were among the first to exploit the MSC EvilTwin flaw before Microsoft publicly fixed it, a common sign of a well-resourced and advanced threat actor.
Security experts are urging organizations to protect themselves by applying Microsoft’s patch immediately and remaining cautious of unexpected IT support messages. Employees should be particularly wary of instructions to run scripts or commands received through messaging platforms. Small mistakes in judgment can open the door to a full system compromise.
Monitoring systems for unusual behavior is also essential. Signs such as the unexpected execution of .msc files, suspicious PowerShell activity, or network traffic to strange domains can all point to an attack in progress. Combining technical defenses with employee awareness gives organizations the best chance to resist such threats.
This campaign serves as another reminder that cybercriminal groups will continue exploiting any weakness left unaddressed. EncryptHub’s use of MSC EvilTwin to spread Fickle Stealer demonstrates the risks of delaying critical security updates. By staying patched and alert, individuals and companies can avoid becoming the next victim of a sophisticated data theft operation.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
