hacking, hacker, computer, internet, security, data, technology, network, password, crime, hack, protection, spyware, spy, privacy, pc, firewall, computer security, cyber, data security, code, black computer, black technology, black laptop, black data, black network, black internet, black security, black code, black coding, hacking, hacking, hacking, hacking, hacker, hacker, hacker, hacker, hacker, hack, spyware, spy, firewall, cyber, cyber
| |

EncryptHub using Brave Support Platform to weaponise MMC vulnerability

Byinfosectoday.com

The cyberthreat landscape is increasingly complex as malicious actors refine their attack strategies, with the EncryptHub threat group, also known as LARVA-208 and Water Gamayun, emerging as a significant concern. This group has gained notoriety for its aggressive campaigns targeting Web3 developers and for exploiting legitimate platforms to deliver harmful payloads. As of February 2025, reports indicate that 618 organisations globally have fallen victim to EncryptHub’s network compromises. Their latest campaign, referred to as MSC EvilTwin, represents a dangerous blend of social engineering and technical exploitation, specifically targeting the Microsoft Management Console through the CVE-2025-26633 vulnerability. This vulnerability enables attackers to execute malicious MSC files by strategically placing them in system directories, effectively hijacking legitimate processes. The attack typically commences with threat actors impersonating IT support staff, establishing connections via Microsoft Teams, and deploying malicious payloads to compromised systems.

Trustwave analysts have identified this sophisticated campaign during their ongoing threat research, revealing a multi-stage attack chain that merges social engineering with platform abuse. Attackers execute PowerShell commands to retrieve initial payloads, followed by deploying specialised tools designed to maintain persistent access and exfiltrate sensitive information. Notably, EncryptHub’s innovative use of the Brave Support platform, a legitimate service linked to the Brave browser, to host and distribute malicious content complicates detection efforts for traditional security solutions. By leveraging trusted platforms like Brave Support, the group can circumvent many security filters that would typically flag suspicious downloads. This tactic underscores a growing trend among cybercriminals who exploit the trust associated with legitimate services to facilitate their malicious activities. The core of EncryptHub’s attack hinges on exploiting the CVE-2025-26633 vulnerability through a sophisticated file placement technique. When victims execute the initial PowerShell command, the malware downloads and runs runner.ps1, which acts as the primary deployment mechanism for the MSC exploitation framework. The runner.ps1 script cleverly manipulates directories by creating two MSC files with identical names but placing them in different locations, with the legitimate file residing in the standard system directory while the malicious one is strategically positioned. 

Similar Posts