Newly emergent threat actor EncryptHub, also known as SkorikARI, was discovered to be engaging in vulnerability research, having been credited by Microsoft for the discovery of a pair of Windows security issues patched as part of last month's Patch Tuesday update, Security Affairs reports.
Vulnerabilities identified and reported by EncryptHub included the high-severity Windows Mark of the Web security feature bypass bug, tracked as CVE-2025-24061, and the medium-severity Windows File Explorer spoofing issue, tracked as CVE-2025-24071, according to a report from Outpost24s KrakenLabs Threat Intelligence Team. Further analysis by KrakenLabs revealed EncryptHub to be a Romania-based Ukrainian who dabbled in vishing and ransomware attacks, as well as vulnerability research, beginning last year after financial struggles and potential imprisonment. "[EncryptHub] has shown and proven a lot of talent finding vulnerabilities and will be a force to be reckoned with if he keeps improving and solving his most glaring weaknesses. That said, his malware, like most throughout history, is not invincible, and cautious users who follow basic security measures are unlikely to fall victim to it," said the report.
The operation, a collaboration between Poland's Cybercrime Bureau (CBZC) and U.S. agencies including the FBI and Homeland Security Investigations, targeted a group accused of breaching telecommunications partners and hijacking email accounts.
CL-STA-1062 employs a hybrid toolkit, combining open-source tools like SoftEther VPN, Mimikatz, and VNT with a newly discovered custom backdoor named TinyRCT.
STOCKSTAY, written in .NET and utilizing the Windows Forms framework, communicates with its command-and-control (C2) server via a secure WebSocket connection.
