EncryptHub exploited a recently patched Windows vulnerability (CVE-2025-26633) to deploy several malware families, including Rhadamanthys and StealC. This zero-day vulnerability, found in the Microsoft Management Console (MMC), allowed attackers to bypass security features and execute malicious payloads on infected systems. The threat actor manipulated .msc files and the Multilingual User Interface Path (MUIPath) to maintain persistence and steal sensitive data from victims’ machines. Trend Micro tracked this attack as MSC EvilTwin and associated it with the Russian activity cluster, Water Gamayun.
The exploit took advantage of the MMC framework to execute a malicious .msc file using a PowerShell loader.
The malicious file was placed in the same directory as the clean file, using the MUIPath feature to trick MMC into executing the rogue file instead. This attack method bypassed security defenses, including User Account Control (UAC), allowing the malware to run without the victim’s knowledge.
Trend Micro’s analysis revealed multiple methods EncryptHub used to deploy its payloads, further enhancing the effectiveness of the attack.
EncryptHub’s malware variants, such as EncryptHub Stealer and backdoors DarkWisp and SilentPrism, were specifically designed to exfiltrate sensitive data. The attack chain typically began with the victim downloading a digitally-signed Microsoft installer, impersonating legitimate software like DingTalk or QQTalk. Once the MSI file was executed, it fetched the MSC EvilTwin loader from a remote server to continue the malware’s execution. This technique was first observed in April 2024, with continuous development to refine the attack.
The campaign’s goal was to maintain persistence on infected systems and exfiltrate stolen data to the attackers’ command-and-control servers. Trend Micro highlighted that EncryptHub was experimenting with various delivery methods, employing custom payloads tailored for its objectives. The evolving nature of the attack suggests that the threat actor is actively refining and deploying more advanced methods to evade detection and achieve their goals
