Russian Group EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware
What’s new: A Russian hacking group known as EncryptHub is exploiting the CVE-2025-26633 vulnerability (MSC EvilTwin) in Microsoft Windows to deploy Fickle Stealer malware. The group uses social engineering tactics, including impersonating IT personnel and sending malicious Microsoft Teams requests, to trigger infections via rogue MSC files. This campaign has been observed to utilize PowerShell commands to establish persistence and communicate with a command-and-control (C2) server.
Who’s affected
Organizations using Microsoft Windows, particularly those with vulnerabilities related to the Microsoft Management Console (MMC) framework, are at risk. The attacks target users through social engineering methods, making them susceptible to malware infections.
What to do
- Ensure that all systems are updated with the latest security patches, particularly for Microsoft Windows vulnerabilities.
- Implement user awareness training to recognize social engineering tactics, such as phishing and impersonation attempts.
- Monitor network traffic for unusual activities that may indicate malware communication with external servers.
- Consider deploying endpoint protection solutions that can detect and block malicious PowerShell scripts and other suspicious activities.
