A recent acknowledgment by Microsoft credits the EncryptHub persona for discovering and reporting two security vulnerabilities in Windows. This individual, believed to be a lone wolf actor, has a complex background straddling a legitimate career in cybersecurity and involvement in cybercrime.
Outpost24 KrakenLabs, a Swedish security company, published an in-depth analysis unmasking the cybercriminal known as EncryptHub. This individual, who fled from Kharkov, Ukraine, around a decade ago, was credited by Microsoft for identifying and reporting the following vulnerabilities:
- CVE-2025-24061 – Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
- CVE-2025-24071 – Microsoft Windows File Explorer Spoofing Vulnerability
EncryptHub, also known as LARVA-208 and Water Gamayun, gained attention in mid-2024 for a campaign involving malware distribution through a fake WinRAR site hosted on GitHub.
In recent developments, EncryptHub has been linked to zero-day exploitation of a Microsoft Management Console vulnerability (CVE-2025-26633) to distribute information stealers and backdoors named SilentPrism and DarkWisp.
According to PRODAFT, EncryptHub has targeted over 618 high-value entities across various industries in the past nine months.
Lidia Lopez, Senior Threat Intelligence Analyst at Outpost24, stated, “All evidence suggests the actions of a single individual, although collaboration with other threat actors cannot be ruled out.”
Outpost24’s investigation uncovered EncryptHub’s online activities through self-infections due to poor security practices, revealing new insights into the individual’s infrastructure and tools.
The actor, believed to have relocated near Romania, studied computer science and freelanced in web and app development before turning to cybercrime in early 2024.
One of EncryptHub’s initial cybercrime projects, Fickle Stealer, is a Rust-based information stealer malware documented by Fortinet FortiGuard Labs.
EncryptHub has also utilized OpenAI’s ChatGPT for malware development and other activities, showcasing the importance of operational security for cybercriminals.
Follow us on Twitter and LinkedIn for more exclusive content.
