Full Report
A likely lone wolf actor behind the EncryptHub persona was acknowledged by Microsoft for discovering and reporting two security flaws in Windows last month, painting a picture of a "conflicted" individual straddling a legitimate career in cybersecurity and pursuing cybercrime. In a new extensive analysis published by Outpost24 KrakenLabs, the Swedish security company unmasked the up-and-coming
Analysis Summary
# Threat Actor: EncryptHub
## Attribution & Identity
* **Primary Identifier:** EncryptHub
* **Known Aliases/Usernames:** LARVA-208, Water Gamayun, SkorikARI (used when disclosing vulnerabilities to Microsoft).
* **Attribution Details:** Assessed to be a likely lone wolf actor, originating from Kharkov, Ukraine, who relocated near the Romanian coast approximately 10 years ago. The actor demonstrated conflicting behavior by discovering and reporting two security flaws to Microsoft while simultaneously engaging in cybercrime. Analysis suggests the activity of a single individual, though potential collaboration or assistance is noted.
## Activity Summary
* **Timeline:** Estimated cybercriminal activity began around March 2024. The actor's overall activity briefly ceased around early 2022 (coinciding with the Russo-Ukrainian War onset), possibly due to incarceration, and resumed later.
* **Recent Campaigns (Mid-2024 onwards):**
* Leveraged a bogus WinRAR site to distribute malware hosted on a GitHub repository named "encrypthub."
* Recently attributed to the zero-day exploitation of CVE-2025-26633 (MSC EvilTwin) in Microsoft Management Console to deliver information stealers and backdoors (SilentPrism and DarkWisp).
* **Historical Activities:** The actor's earlier cybercrime venture included deploying the Fickle Stealer malware. Estimated to have compromised over 618 high-value targets across multiple industries in the last nine months of operation (as of the article date).
## Tactics, Techniques & Procedures
* **Exploitation:** Exploitation of Microsoft vulnerabilities, including reporting/utilizing:
* **CVE-2025-24061**: Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability.
* **CVE-2025-24071**: Microsoft Windows File Explorer Spoofing Vulnerability.
* **CVE-2025-26633 (MSC EvilTwin)**: Zero-day exploitation of Microsoft Management Console.
* **Malware Deployment:** Distribution campaigns utilizing misleading sites (e.g., bogus WinRAR site) linked to GitHub repositories.
* **Development Aid:** Extensively relied on OpenAI's ChatGPT for malware development, translation of communications, and confession.
* **Operational Security (OpSec) Failures:** Exposed infrastructure and activity through poor OpSec, including password reuse and mixing personal/criminal infrastructure (a domain linked to freelance work was also linked to cybercrime campaigns).
## Targeting
* **Sectors:** Multiple industries, including an estimated 618 high-value targets over nine months.
* **Geography:** Not explicitly detailed for victims, but the actor is associated with Ukraine and currently resides near the Romanian coast.
* **Victims:** Over 618 high-value targets compromised.
## Tools & Infrastructure
* **Malware Families Used:**
* **Fickle Stealer:** Rust-based information stealer, claimed to bypass corporate AV systems where StealC or Rhadamantys fail.
* **EncryptRAT:** A product that integrates Fickle Stealer.
* **SilentPrism:** Undocumented backdoor.
* **DarkWisp:** Undocumented backdoor.
* **Infrastructure:**
* GitHub repository named "encrypthub."
* Domains linked to both the actor’s legitimate freelance work and criminal campaigns.
## Implications
EncryptHub represents a technically sophisticated, yet operationally flawed, emerging threat actor. Their willingness to exploit zero-day vulnerabilities and develop novel malware (like Fickle Stealer) suggests a high potential for future impact. The actor's ability to use AI tools (ChatGPT) for development accelerates their pace, but reliance on poor operational security practices remains their critical vulnerability, potentially leading to their exposure or providing intelligence opportunities.
## Mitigations
* Immediate remediation and patching for all disclosed Microsoft vulnerabilities (CVE-2025-24061, CVE-2025-24071, CVE-2025-26633).
* Heightened vigilance against social engineering related to software updates or popular utilities (e.g., bogus WinRAR sites).
* Implement strong operational security hygiene across all organizational departments to prevent the leakage of internal infrastructure details that could be leveraged by threat actors.