Security Affairs reports that the threat actor EncryptHub has been leveraging a patched Windows flaw, CVE-2025-26633 ("MSC EvilTwin"), through the deployment of rogue MSC files and social engineering tactics to distribute malware.
EncryptHub, known for targeting Web3 developers, utilized social engineering alongside the exploitation of the Microsoft Management Console vulnerability to execute malicious .msc files. The attack involved a multi-stage process, starting with fake IT messages on Microsoft Teams, followed by the deployment of malicious files exploiting the MSC EvilTwin flaw. The attacker's activities have affected at least 618 organizations globally, showcasing a blend of technical exploitation and social engineering to bypass security defenses.
The EncryptHub campaign highlights the evolving tactics of threat actors, emphasizing the importance of robust cybersecurity measures. Researchers identified new tools like SilentCrystal and a Golang SOCKS5 backdoor, showcasing EncryptHub's shift towards stealthier and resilient methods. As the threat landscape evolves, organizations must prioritize layered defense strategies, threat intelligence, and user awareness training to effectively combat emerging threats like EncryptHub.
Source: Security Affairs
