A newly identified threat actor, EncryptHub, has been implicated in a series of Windows zero-day attacks that exploit a recently patched vulnerability in the Microsoft Management Console (MMC). This vulnerability, referred to as ‘MSC EvilTwin’ and cataloged as CVE-2025-26633, was uncovered by Trend Micro’s staff researcher, Aliakbar Zahravi. The issue lies in the handling of MSC files on susceptible devices, allowing attackers to bypass Windows file reputation protections.
Exploitation Techniques
Attackers can leverage this vulnerability to execute code without alerting users when unexpected MSC files are loaded on unpatched systems. Microsoft elaborates on the potential exploitation scenarios in an advisory released during this month’s Patch Tuesday. In an email attack scenario, an attacker could send a specially crafted MSC file to a user, persuading them to open it. Alternatively, in a web-based attack, an attacker could host a malicious website or compromise an existing one to deliver the exploit.
Trend Micro’s research has revealed that EncryptHub, also known as Water Gamayun or Larva-208, has utilized CVE-2025-26633 zero-day exploits to execute malicious code and extract data from compromised systems. This campaign has seen the deployment of various malicious payloads associated with prior EncryptHub operations, including the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, Stealc, Rhadamanthys stealer, and the PowerShell-based MSC EvilTwin trojan loader.
Zahravi noted in a report published on Tuesday that the threat actor manipulates .msc files along with the Multilingual User Interface Path (MUIPath) to download and execute malicious payloads, ensuring persistence and the theft of sensitive data from infected systems. He emphasized that this campaign is actively evolving, employing multiple delivery methods and custom payloads aimed at maintaining persistence while exfiltrating sensitive information to the attackers’ command-and-control (C&C) servers.
Historical Context and Broader Implications
Trend Micro’s analysis has also uncovered an early iteration of this technique used in an incident dating back to April 2024. Cyber threat intelligence firm Prodaft has previously linked EncryptHub to breaches affecting at least 618 organizations globally, primarily through spear-phishing and social engineering tactics. Furthermore, EncryptHub is known to deploy ransomware payloads to encrypt victims’ files after initially stealing sensitive information, acting as an affiliate of the RansomHub and BlackSuit ransomware operations.
In addition to addressing the MSC EvilTwin vulnerability, Microsoft has also patched another zero-day vulnerability (CVE-2025-24983) in the Windows Win32 Kernel Subsystem, which has been exploited in attacks since March 2023.
