A Russian cybercriminal group known as EncryptHub, also tracked as LARVA-208 and Water Gamayun, is actively exploiting a now-patched vulnerability in Microsoft Windows (CVE-2025-26633, nicknamed “MSC EvilTwin”) to spread malware, according to new findings from Trustwave SpiderLabs. The flaw was patched in March 2025, although reports of it’s exploitation have been emerging starting from February 2025.
The hackers combine social engineering and technical methods to bypass security systems. In the latest campaign, the treat actors have been sending Microsoft Teams requests to victims posing as IT staff. Once contact is made, a malicious Microsoft Console (MSC) file is delivered onto the victim’s system that installs malware.
The said file downloads scripts that gather data, maintain control over the computer, and contact remote servers to download more malware, including a known information-stealing tool called Fickle Stealer.
The group also uses a Go-based loader named SilentCrystal, which hosts infected files on Brave Support, a legitimate platform linked to the Brave browser. This suggests the attackers gained unauthorized access to an account with upload privileges.
Additionally, EncryptHub lures victims with fake video conferencing apps like RivaTalk, which install malware disguised as legitimate software. The malware blends into normal system activity to avoid detection, such as generating fake browser traffic while stealing system data and allowing full remote access.