• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
encrypthub exploits windows zero day to deploy rhadamanthys and stealc malware

EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware

You are here: Home / General Cyber Security News / EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware
March 26, 2025

The threat actor known as EncryptHub exploited a recently-patched security vulnerability in Microsoft Windows as a zero-day to deliver a wide range of malware families, including backdoors and information stealers such as Rhadamanthys and StealC.

“In this attack, the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence and steal sensitive data from infected systems,” Trend Micro researcher Aliakbar Zahravi said in an analysis.

The vulnerability in question is CVE-2025-26633 (CVSS score: 7.0), described by Microsoft as an improper neutralization vulnerability in Microsoft Management Console (MMC) that could allow an attacker to bypass a security feature locally. It was fixed by the company earlier this month as part of its Patch Tuesday update.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Cybersecurity

Trend Micro has given the exploit the moniker MSC EvilTwin, tracking the suspected Russian activity cluster under the name Water Gamayun. The threat actor, recently the subject of analyses by PRODAFT and Outpost24, is also called LARVA-208.

CVE-2025-26633, at its core, leverages the Microsoft Management Console framework (MMC) to execute a malicious Microsoft Console (.msc) file by means of a PowerShell loader referred to as MSC EvilTwin loader.

Specifically, it involves the loader creating two .msc files with the same name: One clean file and its rogue counterpart that is dropped in the same location but within a directory named “en-US.” The idea is that when the former is run, MMC inadvertently picks the malicious file instead and executes it. This is accomplished by exploiting MMC’s Multilingual User Interface Path (MUIPath) feature.

Windows Zero-Day

“By abusing the way that mmc.exe uses MUIPath, the attacker can equip MUIPath en-US with a malicious .msc file, which cause the mmc.exe load this malicious file instead of the original file and executed without the victim’s knowledge,” Zahravi explained.

EncryptHub has also been observed adopting two other methods to run malicious payload on an infected system using .msc files –

  • Using the ExecuteShellCommand method of MMC to download and execute a next-stage payload on the victim’s machine, an approach previously documented by Dutch cybersecurity company Outflank in August 2024
  • Using mock trusted directories such as “C:\Windows \System32” (note the space after Windows) to bypass User Account Control (UAC) and drop a malicious .msc file called “WmiMgmt.msc”

Cybersecurity

Trend Micro said the attack chains likely begin with victims downloading digitally-signed Microsoft installer (MSI) files impersonating legitimate Chinese software like DingTalk or QQTalk, which is then used to fetch and execute the loader from a remote server. It’s said that the threat actor has been experimenting with these techniques since April 2024.

“This campaign is under active development; it employs multiple delivery methods and custom payloads designed to maintain persistence and steal sensitive data, then exfiltrate it to the attackers’ command-and-control (C&C) servers,” Zahravi said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Previous Post: «redcurl shifts from espionage to ransomware with first ever qwcrypt deployment RedCurl Shifts from Espionage to Ransomware with First-Ever QWCrypt Deployment
Next Post: New SparrowDoor Backdoor Variants Found in Attacks on U.S. and Mexican Organizations new sparrowdoor backdoor variants found in attacks on u.s. and»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)
  • PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution
  • Securing Data in the AI Era
  • Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
  • Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals
  • CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
  • Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads
  • Fake Gaming and AI Firms Push Malware on Cryptocurrency Users via Telegram and Discord
  • Four Arrested in £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
  • What Security Leaders Need to Know About AI Governance for SaaS

Copyright © TheCyberSecurity.News, All Rights Reserved.