Full Report
A threat actor known as EncryptHub has been linked to Windows zero-day attacks exploiting a Microsoft Management Console vulnerability patched this month. [...]
Analysis Summary
# Threat Actor: EncryptHub (Water Gamayun / Larva-208)
## Attribution & Identity
* **Identified as:** EncryptHub.
* **Known Aliases:** Water Gamayun, Larva-208.
* **Associations:** Has been linked to deploying ransomware payloads as an affiliate of the **RansomHub** and **BlackSuit** ransomware operations.
## Activity Summary
EncryptHub is actively engaged in sophisticated campaigns, including the use of zero-day exploits to target Windows systems. Recent, observed activity involved exploiting **CVE-2025-26633** to execute malicious code and exfiltrate data. The group is under active development, using multiple delivery methods and custom payloads. An earlier version of this operational technique was observed in an April 2024 incident. Previously, Prodaft linked EncryptHub to breaches of at least 618 organizations globally, utilizing spear-phishing and social engineering. They steal sensitive files before deploying ransomware.
## Tactics, Techniques & Procedures
* **Exploitation of Zero-Days:** Actively exploiting unpatched vulnerabilities, such as **CVE-2025-26633** (Windows zero-day) and a vulnerability in the Windows Win32 Kernel Subsystem (**CVE-2025-24983**, exploited since March 2023).
* **File Manipulation for Execution/Persistence:** Manipulates `.msc` files and the Multilingual User Interface Path (**MUIPath**) to download and execute malicious payloads, maintain persistence, and steal data.
* **Delivery:** Employs spear-phishing and social engineering attacks.
* **Data Theft:** Focuses on stealing sensitive data before encryption.
* **Payload Deployment:** Deploys ransomware payloads post-exfiltration.
* **MITRE ATT&CK IDs:** Not explicitly listed in the text, but related actions suggest:
* Exploitation for Client Execution (T1203) or Exploit Public-Facing Application (T1190) via zero-day use.
* Ingress Tool Transfer/Execution via file manipulation (T1566, T1059).
* Credential Access / Exfiltration (T1003, T1041).
## Targeting
* **Sectors:** Not explicitly detailed, but the sheer number of victims (618 organizations) suggests broad targeting across potentially various sectors.
* **Geography:** Worldwide (618 organizations breached globally).
* **Victims:** At least 618 organizations linked to previous breaches.
## Tools & Infrastructure
* **Malware Families Used:**
* EncryptHub stealer
* DarkWisp backdoor
* SilentPrism backdoor
* Stealc
* Rhadamanthys stealer
* PowerShell-based MSC EvilTwin trojan loader
* **Infrastructure (C2, domains, IPs):** C&C servers were used for exfiltrating stolen data. No specific URLs or IPs were provided in the text.
## Implications
EncryptHub poses a significant threat due to its proactive exploitation of zero-day vulnerabilities, allowing for initial access and code execution before patches are available. Their operational model combines extensive data exfiltration with subsequent ransomware deployment (as an affiliate), indicating a high-impact financial motive. The use of file manipulation techniques for persistence suggests a focus on long-term compromise.
## Mitigations
* Maintain aggressive vigilance and rapid deployment of security patches, especially immediately upon disclosure of Windows kernel or subsystem vulnerabilities (such as CVE-2025-26633 and CVE-2025-24983).
* Implement strong endpoint detection and response (EDR) capabilities capable of detecting file system manipulation related to `.msc` files or MUIPath usage for unexpected execution.
* Strengthen defenses against social engineering and spear-phishing, as these remain key initial access vectors for the group.
* Monitor for known Indicators of Compromise (IOCs) associated with the specific payloads they deploy (Stealc, Rhadamanthys, DarkWisp, etc.).
* Ensure strict controls over PowerShell usage and script execution environments.