EncryptHub, a notorious threat actor associated with intrusions at 618 organizations, reported two possible Windows zero-day vulnerabilities to Microsoft. This seems like a double role for an organization that moves between cybercrime and security research.
The reported vulnerabilities are CVE-2025-24061 (Mark of the Web bypass) and CVE-2025-24071 (File Explorer spoofing). Microsoft resolved the issues during the Patch Tuesday updates of March 2025. SkorikARI was named as the reporter of the vulnerabilities. A new report from researchers at Outpost24 now links EncryptHub to this SkorikARI. This happened after the threat actor reportedly infected itself and exposed its login credentials.
This exposure enabled the researchers to link the threat actor to various online accounts and expose the profile of a person who moves between a cybersecurity researcher and a cybercriminal.
One of the exposed accounts is SkorikARI, which the hacker used to report the two aforementioned zero-day vulnerabilities to Microsoft, contributing to Windows security.
Multiple sources of evidence
Hector Garcia, security analyst at Outpost24, told BleepingComputer that the link between SkorikARI and EncryptHub is based on multiple pieces of evidence, forming a high-confidence assessment.
According to Garcia, the strongest evidence came from the fact that the password files that EncryptHub had exfiltrated from its system contained accounts linked to both EncryptHub and SkorikARI. In addition, there was also a login to hxxps://github[.]com/SkorikJR, which was mentioned in the July Fortinet article about Fickle Stealer. A third confirmation of the link between the two was the conversations with ChatGPT, which showed activities related to EncryptHub and SkorikARI.
EncryptHub’s involvement in zero-days is nothing new. The threat actor, or one of its members, tried to sell zero-days to other cybercriminals on hacking forums. Outpost24 took a deeper dive into EncryptHub’s journey and stated that the hacker repeatedly switches between freelance development work and cybercriminal activities.
Hacker himself victim of poor security
Despite his apparent IT expertise, the hacker was reportedly the victim of poor security practices, which exposed his personal information. This includes the hacker’s use of ChatGPT to develop malware and phishing websites, integrate third-party code, and investigate vulnerabilities.
The threat actor also had a deeper, personal involvement with OpenAI’s LLM chatbot. In one case, he described his achievements and asked the AI to categorize him as a cool hacker or malicious researcher.
Based on the input provided, ChatGPT assessed him as 40% black hat, 30% grey hat, 20% white hat, and 10% uncertain, reflecting a morally and practically conflicted individual.
This same conflict was reflected in his future planning on ChatGPT, where the hacker asked for help in organizing a massive but harmless campaign that would affect tens of thousands of computers for publicity.
