EncryptHub linked to MMC zero-day attacks on Windows systems – BleepingComputer
EncryptHub linked to MMC zero-day attacks on Windows systemsBrowser-in-the-Browser attacks target CS2 players’ Steam accounts23andMe files for bankruptcy, customers advised to delete DNA dataBroadcom warns of authentication bypass in VMware Windows ToolsChinese FamousSparrow hackers deploy upgraded malware in attacksWindows 11 KB5053656 update released with 38 changes and fixesThese AI lessons can teach you how to automate your jobMicrosoft: New Windows scheduled task will launch Office apps fasterHow to access the Dark Web using the Tor BrowserHow to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11How to use the Windows Registry EditorHow to backup and restore the Windows RegistryHow to start Windows in Safe ModeHow to remove a Trojan, Virus, Worm, or other MalwareHow to show hidden files in Windows 7How to see hidden files in WindowsRemove the Theonlinesearch.com Search RedirectRemove the Smartwebfinder.com Search RedirectHow to remove the PBlock+ adware browser extensionRemove the Toksearches.xyz Search RedirectRemove Security Tool and SecurityTool (Uninstall Guide)How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundoHow to remove Antivirus 2009 (Uninstall Instructions)How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKillerLocky Ransomware Information, Help Guide, and FAQCryptoLocker Ransomware Information Guide and FAQCryptorBit and HowDecrypt Information Guide and FAQCryptoDefense and How_Decrypt Ransomware Information Guide and FAQQualys BrowserCheckSTOPDecrypterAuroraDecrypterFilesLockerDecrypterAdwCleanerComboFixRKillJunkware Removal TooleLearningIT Certification CoursesGear + GadgetsSecurityBest VPNsHow to change IP addressAccess the dark web safelyBest VPN for YouTubeA threat actor known as EncryptHub has been linked to Windows zero-day attacks exploiting a Microsoft Management Console vulnerability patched this month.Uncovered by Trend Micro staff researcher Aliakbar Zahravi, this security feature bypass (dubbed ‘MSC EvilTwin’ and now tracked as CVE-2025-26633) resides in how MSC files are handled on vulnerable devices.Attackers can leverage the vulnerability to evade Windows file reputation protections and execute code because the user is not warned before loading unexpected MSC files on unpatched devices.”In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file,” Microsoft explains in an advisory issued during this month’s Patch Tuesday. “In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.”In attacks spotted by Trend Micro’s researchers before reporting the flaw to Microsoft, EncryptHub (also known as Water Gamayun or Larva-208) used CVE-2025-26633 zero-day exploits to execute malicious code and exfiltrate data from compromised systems.Throughout this campaign, the threat actor has deployed multiple malicious payloads linked to previous EncryptHub attacks, including the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, Stealc, Rhadamanthys stealer, and the PowerShell-based MSC EvilTwin trojan loader.”In this attack, the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence and steal sensitive data from infected systems,” Zahravi said in a report published on Tuesday.”This campaign is under active development; it employs multiple delivery methods and custom payloads designed to maintain persistence and steal sensitive data, then exfiltrate it to the attackers’ command-and-control (C&C) servers.”While analyzing these attacks, Trend Micro has also found an early version of this technique used in an April 2024 incident.Cyber threat intelligence company Prodaft has previously linked EncryptHub to breaches of at least 618 organizations worldwide following spear-phishing and social engineering attacks.EncryptHub also deploys ransomware payloads to encrypt victims’ files after stealing sensitive files as an affiliate of the RansomHub and BlackSuit ransomware operations.This month, Microsoft also patched a zero-day vulnerability (CVE-2025-24983) in the Windows Win32 Kernel Subsystem, which had been exploited in attacks since March 2023.Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.New Windows zero-day leaks NTLM hashes, gets unofficial patchNew Windows zero-day exploited by 11 state hacking groups since 2017Microsoft patches Windows Kernel zero-day exploited since 2023Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flawsEncryptHub breaches 618 orgs to deploy infostealers, ransomware”zero-day attacks on Windows systems [..] exploiting a Microsoft Management Console vulnerability patched this month”.
LOL, please lookup what 0day means.”Windows zero-day attacks” means they were exploited when it was a zero-day, not that it still is one.Not a member yet? Register NowOracle customers confirm data stolen in alleged cloud breach is validBroadcom warns of authentication bypass in VMware Windows ToolsChinese Weaver Ant hackers spied on telco network for 4 yearsAcronis Threat Research Unit: Your secret weapon against Cyber Attacks. Access the reports now Learn why identity attacks were the #1 threat facing organizations in 2024Overdue a password health-check? Audit your Active Directory for freeQilin Ransomware: Uncovering the TTPs Behind One of Today’s Most Active ThreatsInterested in changing your approach to penetration tests?Terms of Use – Privacy Policy – Ethics Statement – Affiliate DisclosureCopyright @ 2003 – 2025 Bleeping Computer® LLC – All Rights ReservedNot a member yet? Register NowRead our posting guidelinese to learn what content is prohibited.
