A sophisticated cybercrime campaign orchestrated by the threat actor EncryptHub has been uncovered, leveraging a critical Windows vulnerability (CVE-2025-26633, dubbed MSC EvilTwin) to deploy the Fickle Stealer malware. The attackers are employing social engineering tactics, including impersonating IT support via Microsoft Teams, and are abusing legitimate platforms like Brave Support to host their malicious payloads, demonstrating a significant evolution in their attack methods.

EncryptHub's Evolving Tactics

EncryptHub, also known as LARVA-208 or Water Gamayun, is a financially motivated Russian hacking group that has been active since mid-2024. They have a history of targeting Web3 developers and gaming platforms like Steam. Their latest campaign showcases a shift towards more stealthy and resilient tactics, moving from PowerShell-based loaders to Golang-compiled binaries like SilentCrystal. This new loader abuses the Brave Support platform to host malware, creating fake Windows directories to evade detection.

Key Takeaways

• EncryptHub exploits the patched Windows vulnerability CVE-2025-26633 (MSC EvilTwin) to execute malicious .msc files.

• The campaign uses social engineering, impersonating IT support via Microsoft Teams, to gain initial access.

• Legitimate platforms like Brave Support are abused to host malware payloads, with attackers using privileged accounts for distribution.

• The Fickle Stealer malware is deployed to steal sensitive information, including cryptocurrency wallets and browser data.

• New tools like SilentCrystal (Golang loader) and a SOCKS5 backdoor highlight the group's move towards more sophisticated and evasive techniques.

• Fake video conferencing platforms like RivaTalk are used to lure victims into downloading malicious installers.

The Attack Chain Detailed

The attack begins with fake IT support messages on Microsoft Teams, aiming to establish remote access. A PowerShell loader then fetches , which drops two .msc files. These files exploit the MSC EvilTwin vulnerability, allowing to load a malicious .msc file disguised as a legitimate one. This script then downloads and executes , which gathers system information, establishes persistence, and communicates with a command-and-control (C2) server to receive AES-encrypted commands, ultimately deploying Fickle Stealer.

Abusing Trusted Platforms

Researchers also detailed EncryptHub's use of SilentCrystal, a Golang loader that leverages Brave Support to host its payloads. This involves uploading ZIP archives containing the malicious .msc files. The attackers appear to have obtained unauthorized access to accounts with upload permissions on the Brave Support platform, bypassing restrictions for new users. This tactic allows for stealthy distribution of their tools.

Advanced Tools and Techniques

Further analysis revealed other tools in EncryptHub's arsenal, including a Golang SOCKS5 backdoor that can operate in client or server mode. This backdoor exfiltrates system details via Telegram and establishes C2 infrastructure using TLS. The group also uses fake video conferencing platforms, such as RivaTalk, to trick victims into downloading MSI installers. These installers use a legitimate Symantec ELAM binary to sideload a malicious DLL, which then executes a PowerShell script to download and run further encrypted payloads, ensuring persistent C2 contact and masking activity with fake web traffic.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• EncryptHub abuses Brave Support in new campaign exploiting MSC EvilTwin flaw, Security Affairs.

• Russian Group EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware, The Hacker News.

• EncryptHub Turns Brave Support Into a Dropper; MMC Flaw Completes the Run, GBHackers News.