EncryptHub linked to zero-day attacks targeting Windows systems

In attacks spotted by Trend Micro's researchers before reporting the flaw to Microsoft, EncryptHub (also known as Water Gamayun or Larva-208) used CVE-2025-26633 zero-day exploits to execute malicious code and exfiltrate data from compromised systems. A threat actor known as EncryptHub has been linked to Windows zero-day attacks exploiting a Microsoft Management Console vulnerability patched this month. "In this attack, the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence and steal sensitive data from infected systems," Zahravi said in a report published on Tuesday. Throughout this campaign, the threat actor has deployed multiple malicious payloads linked to previous EncryptHub attacks, including the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, Stealc, Rhadamanthys stealer, and the PowerShell-based MSC EvilTwin trojan loader. Attackers can leverage the vulnerability to evade Windows file reputation protections and execute code because the user is not warned before loading unexpected MSC files on unpatched devices. "In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file," Microsoft explains in an advisory issued during this month's Patch Tuesday. This month, Microsoft also patched a zero-day vulnerability (CVE-2025-24983) in the Windows Win32 Kernel Subsystem, which had been exploited in attacks since March 2023. Uncovered by Trend Micro staff researcher Aliakbar Zahravi, this security feature bypass (dubbed 'MSC EvilTwin' and now tracked as CVE-2025-26633) resides in how MSC files are handled on vulnerable devices. Cyber threat intelligence company Prodaft has previously linked EncryptHub to breaches of at least 618 organizations worldwide following spear-phishing and social engineering attacks.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 25 Mar 2025 16:52:38 +0000

Cyber News related to EncryptHub linked to zero-day attacks targeting Windows systems

EncryptHub linked to zero-day attacks targeting Windows systems - In attacks spotted by Trend Micro's researchers before reporting the flaw to Microsoft, EncryptHub (also known as Water Gamayun or Larva-208) used CVE-2025-26633 zero-day exploits to execute malicious code and exfiltrate data from compromised ...
4 days ago Bleepingcomputer.com CVE-2025-26633

EncryptHub A Multi-Stage Malware Compromised 600 Organizations - The multi-stage attack begins with the execution of a PowerShell command that downloads the first-stage payload: “powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command “Invoke-RestMethod -Uri ...
2 weeks ago Cybersecuritynews.com

Check Point released hotfix for actively exploited VPN zero-day - MUST READ. Check Point released hotfix for actively exploited VPN zero-day. Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Apple ...
9 months ago Securityaffairs.com CVE-2024-23222 CVE-2023-22515 CVE-2023-40044 CVE-2023-20109

Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine - Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari. Actively Exploited Apple yesterday described the vulnerability as something an attacker could exploit to execute arbitrary code on affected systems. ...
1 year ago Darkreading.com CVE-2024-23222

EncryptHub breaches 618 orgs to deploy infostealers, ransomware - A threat actor tracked as 'EncryptHub,' aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks. Once EncryptHub breaches a targeted system, it ...
1 month ago Bleepingcomputer.com Blacksuit Ransomhub

10 of the biggest zero-day attacks of 2023 - Here are 10 of the biggest zero-day attacks of 2023 in chronological order. Zero-day attacks started strong in 2023 with CVE-2023-0669, a pre-authentication command injection vulnerability in Fortra's GoAnywhere managed file transfer product. ...
1 year ago Techtarget.com CVE-2023-0669 CVE-2023-34362 CVE-2023-36884 CVE-2023-4863 CVE-2023-41992 CVE-2023-41991 CVE-2023-41993 CVE-2023-22515

Apple fixes Safari WebKit zero-day flaw exploited at Pwn2Own - Apple has released security updates to fix a zero-day vulnerability in the Safari web browser exploited during this year's Pwn2Own Vancouver hacking competition. The company addressed the security flaw on systems running macOS Monterey and macOS ...
10 months ago Bleepingcomputer.com CVE-2024-27834

Microsoft fixes Windows zero-day exploited in QakBot malware attacks - Microsoft has fixed a zero-day vulnerability exploited in attacks to deliver QakBot and other malware payloads on vulnerable Windows systems. Tracked as CVE-2024-30051, this privilege escalation bug is caused by a heap-based buffer overflow in the ...
10 months ago Bleepingcomputer.com CVE-2024-30051 CVE-2023-36033 RansomEXX Black Basta

Samsung Galaxy S23 hacked two more times at Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 smartphone two more times on the second day of the Pwn2Own 2023 hacking competition in Toronto, Canada. The contestants also demoed zero-day bugs in printers, routers, smart speakers, surveillance ...
1 year ago Bleepingcomputer.com

Samsung Galaxy S23 hacked twice on first day of Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 twice during the first day of the consumer-focused Pwn2Own 2023 hacking contest in Toronto, Canada. They also demoed exploits and vulnerability chains targeting zero-days in Xiaomi's 13 Pro ...
1 year ago Bleepingcomputer.com

North Korean Kimsuky used a new Linux backdoor in recent attacks - Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Threat actors exploited Palo Alto Pan-OS issue to deploy a Python Backdoor. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 ...
10 months ago Securityaffairs.com CVE-2022-38028 CVE-2020-3259 CVE-2023-22515 APT28 APT29 BianLian

Pwn2Own Automotive: $1.3M for 49 zero-days, Tesla hacked twice - The first edition of Pwn2Own Automotive has ended with competitors earning $1,323,750 for hacking Tesla twice and demoing 49 zero-day bugs in multiple electric car systems between January 24 and January 26. Throughout the contest organized by Trend ...
1 year ago Bleepingcomputer.com

Cisco discloses new IOS XE zero-day exploited to deploy malware implant - Cisco disclosed a new high-severity zero-day today, actively exploited to deploy malicious implants on IOS XE devices compromised using the CVE-2023-20198 zero-day unveiled earlier this week. The company said it found a fix for both vulnerabilities ...
1 year ago Bleepingcomputer.com CVE-2023-20198 CVE-2023-20273 CVE-2021-1435

At a Glance: The Year in Cybersecurity 2023 - From a surge in zero-day attacks to a need to consolidate security stacks for safety, we've seen some notable challenges, trends, and threats. In this post, we'll take a quick, non-comprehensive look at trends and news from 2023, and see what ...
1 year ago Securityboulevard.com

Sav-Rx data breach impacted over 2.8 million individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks. Microsoft fixed two zero-day bugs exploited in malware ...
10 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 APT29 BianLian

Russia-linked group APT29 likely breached TeamViewer - Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. Finnish police linked APT31 to the 2021 parliament attack. BianLian group exploits JetBrains TeamCity bugs in ...
8 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 APT28 APT29 APT3 BianLian

Apple fixes two new iOS zero-days in emergency updates - Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, reaching 20 zero-days patched since the start of the year. "Apple is aware of a report that this issue may ...
1 year ago Bleepingcomputer.com CVE-2023-42916 CVE-2023-42917

Google Chrome Zero-Day Bug Under Attack, Allows Code Injection - Google has patched a high-severity zero-day bug in its Chrome Web browser that attackers are actively exploiting. The vulnerability, assigned as CVE-2024-0519, is the first Chrome zero-day bug that Google has disclosed in 2024, and the second in the ...
1 year ago Darkreading.com CVE-2024-0519 CVE-2024-0517 CVE-2024-0518 Hunters

newsletter Round 473 by Pierluigi Paganini - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits ...
10 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-46747 CVE-2023-46748 CVE-2023-22515 APT29 Rocke BianLian

Over 10,000 Cisco devices hacked in IOS XE zero-day attacks - Attackers have exploited a recently disclosed critical zero-day bug to compromise and infect more than 10,000 Cisco IOS XE devices with malicious implants. The list of products running Cisco IOS XE software includes enterprise switches, aggregation ...
1 year ago Bleepingcomputer.com CVE-2023-20198

9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com

BreachForums resurrected after FBI seizure - Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group ...
10 months ago Securityaffairs.com CVE-2022-38028 CVE-2020-3259 CVE-2024-0204 CVE-2023-38831 CVE-2023-22515 APT28 APT29 BianLian

Apple backports fix for RTKit iOS zero-day to older iPhones - Apple has backported security patches released in March to older iPhones and iPads, fixing an iOS Kernel zero-day tagged as exploited in attacks. The flaw is a memory corruption issue in Apple's RTKit real-time operating system that enables attackers ...
10 months ago Bleepingcomputer.com CVE-2024-23296

Healthcare firm WebTPA data breach impacted 2.5M individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach ...
10 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 APT29 BianLian

LockBit group falsely claimed the hack of the Federal Reserve - LockBit gang claimed responsibility for the attack on City of Wichita. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits JetBrains TeamCity ...
9 months ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 APT28 APT29 LockBit BianLian Siegedsec

EncryptHub linked to zero-day attacks targeting Windows systems

Cyber News related to EncryptHub linked to zero-day attacks targeting Windows systems

Latest Cyber News

Cyber Trends (last 7 days)

Trending Cyber News (last 7 days)