EncryptHub: MSC EvilTwin Exploitation & Stealthy Malware Delivery

What Is MSC EvilTwin and EncryptHub?

EncryptHub—also tracked in open sources as LARVA-208 / Water Gamayun—is a financially motivated threat actor known for agile social-engineering campaigns. In recent activity, the group abused a high-severity Microsoft Management Console behavior dubbed MSC EvilTwin, enabling execution of a .msc file with the same display name as a legitimate console so that mmc.exe loads the attacker-controlled file.

Why It Matters

• Trusted tools weaponized: Malicious .msc files masquerade as legitimate consoles, reducing user suspicion during execution.
• Social engineering supercharge: Operators impersonate IT support (via Teams/calls/chat) to convince targets to run scripts or consoles “to fix an issue.”
• Evolving toolkit: Campaigns feature PowerShell loaders, a Golang loader often referred to as SilentCrystal, and a SOCKS5 backdoor for resilient C2.

How the Attack Works (End-to-End Flow)

1. Initial approach: The victim is contacted by a fake help-desk persona urging urgent remediation (account lockout, update failure, etc.).
2. Loader execution: A PowerShell script (e.g., runner.ps1) places two identically named console files—one benign, one rogue—where Windows resolves the attacker version first.
3. MSC EvilTwin triggers: MMC launches the malicious .msc, executing attacker logic under the guise of an admin console.
4. Payload chain: The console retrieves another script (e.g., build.ps1), gathers host data, establishes persistence, and beacons to C2.
5. Post-exploitation: Tooling such as SilentCrystal and a SOCKS5 Golang backdoor provide encrypted proxying and long-lived access; data theft tooling (e.g., stealer malware) may follow.

Key Takeaways

Defensive Playbook

1. Patch & harden MMC usage: Keep Windows fully updated; restrict arbitrary .msc execution and require code provenance (AppLocker/WDAC).
2. Constrain PowerShell: Enable Constrained Language Mode where feasible; log Script Block, Module, and Transcription; alert on suspicious encodings and download cradles.
3. EDR detections: Flag creation/launch of unknown .msc files, odd MMC load paths, and persistence artifacts following MMC launches.
4. Network controls: Monitor for unusual TLS beacons and SOCKS5 tunnels; egress-filter to approved destinations; deploy DNS sinkholes for known bads.
5. Anti-impersonation drills: Train users to verify IT requests via a secondary, trusted channel; pre-publish “no-go” policies (IT will never ask you to run X).
6. Browser & platform hygiene: Validate updates/support links; disable side-loading of support packages; monitor for staging via public support resources.

Conclusion

EncryptHub’s campaigns demonstrate how quickly threat actors adapt: blend social pressure with native Windows tooling, then hide behind modern loaders and encrypted tunnels. Meeting this challenge requires layered controls—technical guardrails around MMC and PowerShell, rigorous user verification practices, and telemetry that correlates social-engineering signals with endpoint and network behaviors.

References – EncryptHub & MSC EvilTwin

• The Hacker News. (2025, August). Russian Group EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware. Retrieved from https://thehackernews.com
• SecurityAffairs. (2025, August). EncryptHub abuses Brave Support in new campaign exploiting MSC EvilTwin flaw. Retrieved from https://securityaffairs.com
• LinkedIn / Das. (2025, August). EncryptHub: Russian Threat Actors’ Evolving Social Engineering. Retrieved from LinkedIn Pulse
• Medium / Scott Bolen. (2025, August). Threat Actor Profile: EncryptHub (a.k.a. LARVA-208 / Water Gamayun). Retrieved from https://medium.com