Trend Micro noted that similar techniques were observed in an earlier incident from April 2024.

Trend Micro's Aliakbar Zahravi uncovered the flaw, which involves manipulating .msc files and their Multilingual User Interface Path to download and execute malicious payloads.

EncryptHub has previously been associated with multiple attacks, using various malicious payloads including the EncryptHub stealer and DarkWisp backdoor to exfiltrate data from compromised systems.

In phishing scenarios, attackers can send crafted files to users or host websites with these files to exploit the vulnerability.

Prodaft, a cyber threat intelligence company, reported that EncryptHub has been involved in breaches of at least 618 organizations worldwide through spear-phishing and social engineering tactics.

In addition to data theft, EncryptHub also utilizes ransomware payloads to encrypt victims' files after the data has been stolen, operating as an affiliate of RansomHub and BlackSuit ransomware operations.

Moreover, Microsoft recently patched another zero-day vulnerability, CVE-2025-24983, in the Windows Win32 Kernel Subsystem, which had been exploited since March 2023.

EncryptHub, a notorious threat actor, has been linked to zero-day attacks exploiting a recently patched vulnerability in Microsoft Management Console, tracked as CVE-2025-26633.

This vulnerability allows attackers to bypass Windows file reputation protections, enabling them to execute malicious code without user warnings when opening MSC files on unpatched devices.

The campaign employs multiple delivery methods and is designed to maintain persistence while stealing sensitive data, which is sent to the attackers' command-and-control servers.