EncryptHub, a figure of intrigue in the cybersecurity landscape, has been linked to breaches affecting 618 organizations. This notorious threat actor has recently made headlines by reportedly disclosing two Windows zero-day vulnerabilities to Microsoft, straddling the delicate line between cybercrime and security research.
The vulnerabilities in question, CVE-2025-24061 (Mark of the Web bypass) and CVE-2025-24071 (File Explorer spoofing), were addressed by Microsoft during the March 2025 Patch Tuesday updates. The company acknowledged the reporter as ‘SkorikARI with SkorikARI,’ adding a layer of complexity to the narrative surrounding this individual.
Source: Microsoft
Recent investigations by Outpost24 researchers have established a connection between EncryptHub and SkorikARI, following an incident where the threat actor inadvertently infected themselves, leading to the exposure of their credentials. This breach of personal security has allowed researchers to trace various online accounts back to a person who oscillates between the roles of a cybersecurity researcher and a cybercriminal.
Among the exposed accounts is SkorikARI, which was utilized to report the aforementioned zero-day vulnerabilities to Microsoft, thereby contributing to the enhancement of Windows security. Hector Garcia, a Security Analyst at Outpost24, shared insights with BleepingComputer, emphasizing the robustness of the evidence linking SkorikARI to EncryptHub. He stated, “The hardest evidence was from the fact that the password files EncryptHub exfiltrated from his own system had accounts linked to both EncryptHub, like credentials to EncryptRAT, which was still in development, or his account on xss.is, and to SkorikARI, like accesses to freelance sites or his own Gmail account.”
Garcia further elaborated, noting a login to a GitHub account associated with SkorikARI, which had been mentioned in previous discussions about the Fickle Stealer malware. The connection was further corroborated by conversations involving ChatGPT, where activities related to both EncryptHub and SkorikARI were evident.
EncryptHub’s engagement with zero-day vulnerabilities is not unprecedented; the threat actor has previously attempted to market such vulnerabilities to other cybercriminals on underground forums.
Source: BleepingComputer
Outpost24’s analysis of EncryptHub reveals a pattern of behavior where the hacker frequently oscillates between freelance development work and cybercriminal activities. Despite possessing considerable IT skills, the individual has fallen victim to poor operational security practices that led to the exposure of personal information.
This includes the use of ChatGPT for developing malware and phishing sites, integrating third-party code, and researching vulnerabilities. The hacker’s interactions with OpenAI’s language model have taken a personal turn, with the individual seeking validation for their accomplishments and asking the AI to categorize their activities as either commendable or malicious.
In one instance, ChatGPT assessed the hacker’s activities as 40% black hat, 30% grey hat, 20% white hat, and 10% uncertain, encapsulating the moral ambiguity that defines this individual. This internal conflict is further reflected in the hacker’s future aspirations, where they sought assistance from ChatGPT to orchestrate a large-scale yet “harmless” campaign aimed at impacting tens of thousands of computers for publicity.
Source: Outlook24
Who is EncryptHub
EncryptHub is believed to have loose affiliations with ransomware groups, including RansomHub and BlackSuit operations. Recently, however, the threat actor has gained notoriety for executing various social engineering campaigns, phishing attacks, and developing a custom PowerShell-based infostealer known as Fickle Stealer.
The threat actor’s tactics also involve creating fictitious social media profiles and websites for non-existent applications. For instance, researchers uncovered an X account and website for a project management application dubbed GartoriSpace.
Source: BleepingComputer
This website was promoted through private messages on social media platforms, offering a code necessary for software download. However, unsuspecting users would find that downloading the software resulted in the installation of malicious files, such as the PPKG file containing Fickle Stealer for Windows devices and the AMOS information-stealer for Mac systems.
Additionally, EncryptHub has been implicated in attacks exploiting a Microsoft Management Console vulnerability tracked as CVE-2025-26633. Although this flaw was rectified in March, it was attributed to Trend Micro rather than the threat actor.
Overall, EncryptHub’s campaigns appear to be yielding results, with reports indicating that the threat actor has successfully compromised over six hundred organizations.
