🚨 Breaking Cyber Intelligence: EncryptHub Hits with MSC EvilTwin Exploit 🚨

 

Who: Russian-linked EncryptHub (aka LARVA-208 / Water Gamayun)
What: Exploiting Windows MMC flaw CVE-2025-26633 (“MSC EvilTwin”) to deploy Fickle Stealer, an advanced PowerShell-based info stealer.
X (formerly Twitter)+11Cyber Security News+11Security Affairs+11

How they attack:

1. Initiate contact via fake IT Microsoft Teams request.

2. Victim accepts → attacker runs runner.ps1, exploiting EvilTwin — dropping dual .msc files (one genuine, one malicious) in MUIPath.

3. Launch of legit .msc triggers execution of rogue one, activating C2 via AES‑encrypted PowerShell commands.

4. Payloads include:

   • Fickle Stealer: data exfiltration + crypto wallet theft.

   • SilentCrystal (Golang loader via Brave Support).

   • A Golang-based SOCKS5 backdoor and fake video conferencing lure (“RivaTalk”).
     Western Illinois University+10Cyber Security News+10Security Affairs+10

Why it matters (CyberDudeBivash take):

• Attackers successfully blend social engineering + zero-day exploitation.

• Use of trusted internal tools and legitimate platforms (Teams, Elite MMC, Brave Support) makes detection extremely difficult.

• Fickle Stealer’s fake web traffic masking makes network detection even more elusive.

• Highlights the urgent need to defend not only endpoints—but tools, platforms, and trade protocols.

Defense by CyberDudeBivash:

1. Patch now: Ensure CVE-2025-26633 is remediated across all Windows systems.

2. Harden MMC paths: Whitelist-only execution, remove unexpected MUIPath entries.

3. Team access hygiene: Disable unsanctioned remote requests; verify all internal prompt-based sessions.

4. Endpoint analytics: Hunt for ducky-stealth behavior, AES-loaded PowerShell, and anomalous MMC-child process execution.

5. Honeytoken deployment: Use decoy .msc files in MUIPaths to detect tampering or lateral movement early.

---

TL;DR: EncryptHub just demonstrated how lethal linkers—social engineering + EvilTwin vulnerability—can deliver stealer malware with surgical stealth. If your org hasn't patched and closely scanned MMC executions, you're already exposed.

For full, daily threat intel & battletested SOC defense guides, visit CyberDudeBivash — where we decode threats so defenders stay ahead.

#CyberDudeBivash #ThreatIntel #EncryptHub #MSC-EvilTwin #WindowsSecurity #Malware #Cybersecurity #SOCDefense