Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws
Summary:
A recent report published by Outpost24 KrakenLabs has exposed the identity and evolution of the threat actor known as “EncryptHub,” believed to be a lone individual walking a fine line between legitimate cybersecurity research and malicious cyber activity. The individual was acknowledged by Microsoft in March 2025 for discovering and reporting two Windows vulnerabilities CVE-2025-24061, a Mark-of-the-Web security feature bypass, and CVE-2025-24071, a Windows File Explorer spoofing issue. Microsoft attributed the discoveries to “SkorikARI with SkorikARI,” a pseudonym researchers have linked to EncryptHub, suggesting an attempt to build credibility within the cybersecurity community while operating under the radar.
According to the report, the individual fled his hometown of Kharkov, Ukraine, approximately ten years ago, eventually settling near the Romanian coast. There, he pursued self-directed computer science education through online courses while working freelance in web and application development. His online footprint shows a conflicted identity: one side participating in vulnerability research and bug bounty programs, and the other gradually shifting into full-blown cybercriminal activity. Outpost24 suspects the pivot happened after early 2022, coinciding with the start of the Russo-Ukrainian war and possibly a brief stint in jail, which led to financial strain and a turn toward illicit digital operations.
By mid-2024, EncryptHub emerged as a more prominent figure in the threat landscape. He was connected to a campaign that hosted various malware strains on a GitHub repository using the "encrypthub" name, delivered through a fake WinRAR website. The actor later exploited a zero-day flaw in Microsoft Management Console (CVE-2025-26633, dubbed MSC EvilTwin), using it to deploy two previously undocumented backdoors: SilentPrism and DarkWisp. These tools were designed for data exfiltration and long-term persistence and were observed being used against over 618 high-value targets across industries such as finance, healthcare, and tech.
One of EncryptHub’s earliest malware developments was "Fickle Stealer," a Rust-based information stealer that first came to light through Fortinet FortiGuard Labs in June 2024. In an anonymous interview with researcher g0njxa, EncryptHub boasted that Fickle Stealer could bypass corporate antivirus software where more popular stealers like StealC or Rhadamanthys would fail. He claimed it was being privately shared and formed the backbone of his secondary product, EncryptRAT, a remote access trojan. Investigators confirmed that the infrastructure used for distributing this malware overlapped with domains linked to his freelance development work, further tying his personal and criminal activities together.
Security Officer Comments:
Throughout his operations, EncryptHub relied extensively on OpenAI’s ChatGPT to aid malware development, write phishing emails, translate messages, and even serve as a kind of personal diary or confessional. Despite technical sophistication, the actor exhibited poor operational security self-infecting with his own malware, reusing passwords, and hosting command-and-control infrastructure on domains linked to legitimate jobs. These missteps allowed Outpost24 to trace and unmask his digital trail. Although believed to be acting primarily alone, there are signs of possible collaboration. A Telegram channel used to track malware infections had at least one other user with admin privileges, suggesting occasional assistance from unnamed individuals. Still, Outpost24’s senior analyst, Lidia Lopez, emphasized that the majority of evidence points to a single operator.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://thehackernews.com/2025/04/microsoft-credits-encrypthub-hacker.html
https://outpost24.com/blog/unmasking-encrypthub-chatgpt-partner-crime/
A recent report published by Outpost24 KrakenLabs has exposed the identity and evolution of the threat actor known as “EncryptHub,” believed to be a lone individual walking a fine line between legitimate cybersecurity research and malicious cyber activity. The individual was acknowledged by Microsoft in March 2025 for discovering and reporting two Windows vulnerabilities CVE-2025-24061, a Mark-of-the-Web security feature bypass, and CVE-2025-24071, a Windows File Explorer spoofing issue. Microsoft attributed the discoveries to “SkorikARI with SkorikARI,” a pseudonym researchers have linked to EncryptHub, suggesting an attempt to build credibility within the cybersecurity community while operating under the radar.
According to the report, the individual fled his hometown of Kharkov, Ukraine, approximately ten years ago, eventually settling near the Romanian coast. There, he pursued self-directed computer science education through online courses while working freelance in web and application development. His online footprint shows a conflicted identity: one side participating in vulnerability research and bug bounty programs, and the other gradually shifting into full-blown cybercriminal activity. Outpost24 suspects the pivot happened after early 2022, coinciding with the start of the Russo-Ukrainian war and possibly a brief stint in jail, which led to financial strain and a turn toward illicit digital operations.
By mid-2024, EncryptHub emerged as a more prominent figure in the threat landscape. He was connected to a campaign that hosted various malware strains on a GitHub repository using the "encrypthub" name, delivered through a fake WinRAR website. The actor later exploited a zero-day flaw in Microsoft Management Console (CVE-2025-26633, dubbed MSC EvilTwin), using it to deploy two previously undocumented backdoors: SilentPrism and DarkWisp. These tools were designed for data exfiltration and long-term persistence and were observed being used against over 618 high-value targets across industries such as finance, healthcare, and tech.
One of EncryptHub’s earliest malware developments was "Fickle Stealer," a Rust-based information stealer that first came to light through Fortinet FortiGuard Labs in June 2024. In an anonymous interview with researcher g0njxa, EncryptHub boasted that Fickle Stealer could bypass corporate antivirus software where more popular stealers like StealC or Rhadamanthys would fail. He claimed it was being privately shared and formed the backbone of his secondary product, EncryptRAT, a remote access trojan. Investigators confirmed that the infrastructure used for distributing this malware overlapped with domains linked to his freelance development work, further tying his personal and criminal activities together.
Security Officer Comments:
Throughout his operations, EncryptHub relied extensively on OpenAI’s ChatGPT to aid malware development, write phishing emails, translate messages, and even serve as a kind of personal diary or confessional. Despite technical sophistication, the actor exhibited poor operational security self-infecting with his own malware, reusing passwords, and hosting command-and-control infrastructure on domains linked to legitimate jobs. These missteps allowed Outpost24 to trace and unmask his digital trail. Although believed to be acting primarily alone, there are signs of possible collaboration. A Telegram channel used to track malware infections had at least one other user with admin privileges, suggesting occasional assistance from unnamed individuals. Still, Outpost24’s senior analyst, Lidia Lopez, emphasized that the majority of evidence points to a single operator.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://thehackernews.com/2025/04/microsoft-credits-encrypthub-hacker.html
https://outpost24.com/blog/unmasking-encrypthub-chatgpt-partner-crime/