Post

EncryptHub Exploits Brave Support and MSC EvilTwin Flaw in Latest Malware Campaign

Discover how the EncryptHub threat actor leverages the MSC EvilTwin vulnerability (CVE-2025-26633) and social engineering to deploy malware, targeting organizations worldwide. Learn about their evolving tactics, including the abuse of Brave Support and fake platforms like RivaTalk.

Posted
By Tom Grant
3 min read
EncryptHub Exploits Brave Support and MSC EvilTwin Flaw in Latest Malware Campaign

TL;DR

The EncryptHub threat actor is actively exploiting the MSC EvilTwin vulnerability (CVE-2025-26633) in a new campaign that combines social engineering and rogue MSC files to deploy malware. By abusing platforms like Brave Support and creating fake services such as RivaTalk, EncryptHub evades detection and maintains persistence. Over 618 organizations have already been compromised, highlighting the need for proactive defense strategies and user awareness training.

EncryptHub Exploits MSC EvilTwin Flaw and Brave Support in Latest Malware Campaign

The EncryptHub threat actor, also known as LARVA-208 or Water Gamayun, has been observed exploiting the CVE-2025-26633 vulnerability, dubbed MSC EvilTwin, in a sophisticated campaign that combines social engineering and malicious MSC files to deploy malware. This campaign, detailed by Trustwave SpiderLabs1, underscores the group’s adaptability and resourcefulness in bypassing security defenses.

Understanding the MSC EvilTwin Vulnerability (CVE-2025-26633)

CVE-2025-26633 is an improper neutralization issue in the Microsoft Management Console (MMC) that allows unauthorized attackers to bypass security features locally. This vulnerability enables attackers to execute malicious .msc files, which are typically used for managing Windows systems.

According to Trustwave SpiderLabs:

“This vulnerability, dubbed MSC EvilTwin, allows the attacker to execute malicious .msc files. While the tactics observed align with previously reported methods, deeper investigations uncovered additional new tools used in EncryptHub campaigns.”1

EncryptHub’s Attack Chain: From Social Engineering to Malware Deployment

EncryptHub’s campaign begins with fake IT support messages sent via Microsoft Teams, tricking victims into granting remote access. Once access is secured, the attack unfolds as follows:

  1. PowerShell Loader Execution:
    • A PowerShell loader fetches runner.ps1, a script that drops two malicious .msc files to exploit the MSC EvilTwin vulnerability.
    • The vulnerability allows mmc.exe to load an identically named .msc file from the MUIPath (e.g., en-US) and execute the attacker’s version.
  2. Command and Control (C2) Setup:
    • runner.ps1 inserts a C2 URL into the malicious .msc file, which then downloads build.ps1.
    • build.ps1 steals system information, establishes persistence, and executes AES-encrypted commands from the C2 server, including deploying the Fickle Stealer malware.
  3. SilentCrystal Loader:
    • EncryptHub has replaced earlier PowerShell scripts with SilentCrystal, a Golang-based loader.
    • SilentCrystal abuses Brave Support to host payloads, creates a fake Windows directory to bypass defenses, and exploits MSC EvilTwin to execute malware.
  4. Golang SOCKS5 Backdoor:
    • Another tool in EncryptHub’s arsenal is a Golang SOCKS5 backdoor that operates in client or server mode.
    • It exfiltrates stolen system details via Telegram and sets up C2 infrastructure with TLS encryption.

Fake Video Call Platform: RivaTalk

To further evade detection, EncryptHub created a fake video call platform called RivaTalk, registered in July 2025. The platform serves as a front for their new C2 server and requires an access code to download its malicious Windows app, limiting exposure to targeted victims.

  • The RivaTalk installer abuses a Symantec ELAM binary to sideload a malicious DLL.
  • This DLL runs a PowerShell script that fetches additional payloads.
  • While displaying a fake setup pop-up, the malware generates fake web traffic to mask its activity.
  • It maintains C2 contact and executes AES-encrypted commands for full control over the compromised system.

EncryptHub’s Evolving Tactics and Implications

EncryptHub represents a well-resourced and adaptive adversary that combines:

  • Social engineering to manipulate victims.
  • Abuse of trusted platforms like Brave Support and Microsoft Teams.
  • Exploitation of system vulnerabilities like MSC EvilTwin.
  • Evolving malware toolsets for stealth and resilience.

As Trustwave SpiderLabs concludes:

“The EncryptHub threat actor represents a well-resourced and adaptive adversary, combining social engineering, abuse of trusted platforms, and the exploitation of system vulnerabilities to maintain persistence and control. Their use of fake video conferencing platforms, encrypted command structures, and evolving malware toolsets underscores the importance of layered defense strategies, ongoing threat intelligence, and user awareness training.”1

Why This Matters

EncryptHub’s campaign highlights the growing sophistication of cyber threats and the need for:

  • Proactive threat detection to identify and mitigate attacks early.
  • User awareness training to prevent social engineering exploits.
  • Layered defense strategies to protect against evolving malware tactics.

With over 618 organizations already compromised, this campaign serves as a stark reminder of the critical importance of cybersecurity vigilance.

Additional Resources

For further insights, check:

References

  1. Trustwave SpiderLabs (2025). “When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub’s Expanding Arsenal”. Trustwave. Retrieved 2025-08-16. ↩︎ ↩︎2 ↩︎3

Cybersecurity & Data Protection, Malware
malware cybersecurity threat-intelligence
This post is licensed under CC BY 4.0 by the author.