Full Report
The threat actor known as EncryptHub exploited a recently-patched security vulnerability in Microsoft Windows as a zero-day to deliver a wide range of malware families, including backdoors and information stealers such as Rhadamanthys and StealC. "In this attack, the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload,
Analysis Summary
# Incident Report: EncryptHub Exploits Windows Zero-Day (CVE-2025-26633) for Malware Deployment
## Executive Summary
The threat actor known as EncryptHub (tracked as Water Gamayun/LARVA-208) exploited the zero-day vulnerability CVE-2025-26633 in Microsoft Management Console (MMC) to deliver various malware, including the Rhadamanthys stealer and StealC malware. The attack leverages the Multilingual User Interface Path (MUIPath) feature, allowing for the execution of malicious `.msc` files to steal sensitive data and maintain persistence. The vulnerability was addressed by Microsoft earlier in March 2025, indicating this was likely a targeted in-the-wild attack leveraging unpatched systems prior to patching.
## Incident Details
- Discovery Date: March 2025 (Detection correlated with Trend Micro analysis timeframe)
- Incident Date: Occurred shortly before or around March 2025, utilizing a vulnerability fixed during the March Patch Tuesday.
- Affected Organization: Not explicitly disclosed; implied to be diverse targets susceptible to Zero-Day exploitation.
- Sector: General enterprise targets impacted by Windows vulnerabilities.
- Geography: Not specified, but the actor cluster (Water Gamayun) is suspected to be Russian.
## Timeline of Events
### Initial Access
- Date/Time: Prior to March 2025 Patch Tuesday.
- Vector: Exploitation of **CVE-2025-26633** (Improper neutralization in Microsoft Management Console - MMC).
- Details: Attackers utilized the primary attack chain named **MSC EvilTwin**, which involves dropping a malicious `.msc` file in a location related to the Multilingual User Interface Path (MUIPath) feature. When the legitimate MMC file is executed, MMC inadvertently loads and executes the rogue counterpart located in a directory named `"en-US"`.
### Lateral Movement
- Details: Not explicitly detailed in the excerpt, but the deployment of information stealers (Rhadamanthys, StealC) suggests subsequent reconnaissance and data collection capabilities post-execution.
### Data Exfiltration/Impact
- Impact: Deployment of information stealers (Rhadamanthys, StealC) and backdoors, leading to the theft of sensitive data from infected systems.
### Detection & Response
- Detection Method: Analysis by Trend Micro researchers (Aliakbar Zahravi) who uncovered the exploit chain dubbed "MSC EvilTwin."
- Response Actions: Microsoft issued a patch for CVE-2025-26633 as part of its March 2025 Patch Tuesday update.
## Attack Methodology
- Initial Access: Exploitation of **CVE-2025-26633** via **MSC EvilTwin** leveraging MUIPath abuse to execute a malicious `.msc` file via `mmc.exe`.
- Persistence: Not detailed, but malware deployment implies mechanisms for maintaining access.
- Privilege Escalation: Alternative methods noted include using the `ExecuteShellCommand` method in MMC, or abusing mocked trusted directories (e.g., `"C:\\Windows \\System32"`) to drop `WmiMgmt.msc` and bypass UAC.
- Defense Evasion: Abuse of legitimate system functions (`mmc.exe` and MUIPath) to execute code without victim knowledge.
- Credential Access: Deployment of the **Rhadamanthys** information stealer.
- Discovery: Implied stages of reconnaissance post-initial execution.
- Lateral Movement: Not specified.
- Collection: Use of **Rhadamanthys** and **StealC** malware families for sensitive data gathering.
- Exfiltration: Implied, following successful data collection.
- Impact: Installation of backdoors, information stealers, and data theft.
## Impact Assessment
- Financial: Unknown.
- Data Breach: Sensitive data theft suspected due to the use of information stealers (Rhadamanthys, StealC).
- Operational: Potential disruption from backdoors and malware presence on systems.
- Reputational: Dependent on organizational disclosure, but exploitation of a widely used Windows component carries high reputational risk.
## Indicators of Compromise
- Network Indicators (Defanged): N/A (Specific C2 details not provided in the scope).
- File Indicators: Malicious `.msc` files dropped, potentially named and placed strategically (e.g., near clean counterparts in specific directories like `"en-US"`).
- Behavioral Indicators: Execution of `mmc.exe` loading malicious `.msc` files, abuse of MUIPath lookup mechanism.
## Response Actions
- Containment: Immediate application of Microsoft's patch for **CVE-2025-26633**.
- Eradication: Identification and removal of deployed malware families (Rhadamanthys, StealC) and associated persistence mechanisms across affected hosts.
- Recovery: System hardening and potential forensic analysis of systems where the execution chain was successfully initiated.
## Lessons Learned
- Lesson Learned: Zero-day exploitation, even against components like MMC, remains a high-value target for sophisticated threat actors like EncryptHub.
- Lesson Learned: Attackers are actively abusing established system features, such as MUIPath, to execute arbitrary code under the guise of legitimate processes.
- What could have been done better: Organizations must prioritize the immediate application of security patches, especially those identified by vendors as critical or actively exploited in the wild (even before the official disclosure).
## Recommendations
- Patch Management: Immediately apply Microsoft's Patch Tuesday updates addressing **CVE-2025-26633**.
- Monitoring: Enhance endpoint detection rules to specifically monitor unusual execution flows involving `mmc.exe` loading `.msc` files, especially when launched from non-standard directories or contexts implying MUIPath manipulation.
- Defense in Depth: Implement application control measures to restrict the execution of scripts or payloads initiated by management consoles unless strictly necessary and whitelisted.