Financially Motivated10 malware familiesExploits CVEs in the wild

EncryptHub

Also known asEncryptHubLarva-208Water Gamayun

EncryptHub is a financially motivated Russian threat actor, also tracked as LARVA-208 and Water Gamayun. The content describes it as a Russian or Russia-aligned hacking group that gained prominence in mid-2024 and has been associated with credential theft, access brokering, information-stealing campaigns, and malware delivery. Reported activity includes targeting enterprise and government networks, telecom, finance, defense, manufacturing, Web3 developers, and Steam users. A related subgroup, LARVA-148, is described as managing domain acquisitions and attacks. The actor is repeatedly linked to exploitation of the Windows Microsoft Management Console vulnerability CVE-2025-26633, dubbed "MSC EvilTwin," including continued exploitation after patching. Reported delivery methods include phishing, fake IT support messages over Microsoft Teams, videoconferencing lures such as a fake platform named RivaTalk, compromised websites, abuse of Brave Support to host payload ZIPs, and rogue or paired benign/malicious .msc files. The described tradecraft includes social engineering, PowerShell-based multi-stage loaders, persistence, AES-encrypted command execution, SOCKS5 tunneling, DLL sideloading via a legitimate Symantec ELAM binary, use of deceptive paths such as "C:\Windows \System32," and living-off-the-land techniques involving mmc.exe. Tooling and malware directly associated in the content include Fickle Stealer, SilentCrystal, SilentPrism, DarkWisp, HijackLoader, Vidar, and Golang backdoors. Fickle Stealer is described as stealing credentials, browser data, cookies, sensitive files, system information, cryptocurrency wallet data, and other host data. In Steam-related activity, EncryptHub reportedly compromised the Chemia game to distribute HijackLoader, which downloaded Vidar, and also deployed Fickle Stealer. The actor has also reportedly abused Steam to distribute information stealers more broadly. The content states that at least 618 organizations worldwide were compromised in one EncryptHub campaign. It also notes OPSEC failures exposing the actor's own infrastructure and reports that EncryptHub used Telegram bots and ChatGPT in operations. One article additionally describes EncryptHub as a persona tied to malware campaigns, credential theft, and access brokering, and says Microsoft credited "EncryptHub" with responsibly disclosing two Windows vulnerabilities in March 2025.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

23 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics29 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

4 techniques

T1078

Valid Accounts

T1189

Drive-by Compromise

T1190

Exploit Public-Facing Application

T1566

Phishing

TA0002

Execution

3 techniques

T1059

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1203

Exploitation for Client Execution

T1204×2

User Execution

T1204.002

Malicious File

TA0003

Persistence

1 technique

T1078

Valid Accounts

TA0004

Privilege Escalation

1 technique

T1078

Valid Accounts

TA0005

Stealth

5 techniques

T1027

Obfuscated Files or Information

T1027.004

Compile After Delivery

T1027.005

Indicator Removal from Tools

T1036

Masquerading

T1078

Valid Accounts

T1218

System Binary Proxy Execution

T1218.014

MMC

T1564

Hide Artifacts

TA0006

Credential Access

4 techniques

T1528

Steal Application Access Token

T1539

Steal Web Session Cookie

T1552

Unsecured Credentials

T1552.004

Private Keys

T1555

Credentials from Password Stores

TA0007

Discovery

1 technique

T1016

System Network Configuration Discovery

TA0009

Collection

2 techniques

T1005

Data from Local System

T1560

Archive Collected Data

T1560.001

Archive via Utility

TA0011

Command and Control

1 technique

T1105×2

Ingress Tool Transfer

ARSENAL

Associated malware families

10 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Fickle StealerClicking the message leads to the download of malicious software disguised as a genuine Realtek HD Audio Driver, which executes PowerShell commands to retrieve and deploy the Fickle Stealer.8Mar 18, 2026

DarkWispTrend Micro in March 2025, uncovering attacks that deliver two backdoors called SilentPrism and DarkWisp.3Mar 18, 2026

HijackLoader“...EncryptHub added to the game files the HijackLoader malware (CVKRUTNP.exe), which establishes persistence on the victim device and downloads the Vidar infostealer (v9d9d.exe).”3Mar 18, 2026

RhadamanthysEncryptHub lured targets into installing AnyDesk, TeamViewer, and other remote monitoring and management software for lateral movement before utilizing PowerShell scripts that deliver the Rhadamanthys, Stealc, and Fickle Stealer infomation-stealing payloads.3Mar 18, 2026

SilentCrystalResearchers identified new tools like SilentCrystal and a Golang SOCKS5 backdoor, showcasing EncryptHub's shift towards stealthier and resilient methods.3Mar 18, 2026

5 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-26633MSC EvilTwinIn the wildEvidence3

Trustwave SpiderLabs said it recently observed an EncryptHub campaign that brings together social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger the infection routine via a rogue Microsoft Console (MSC) file.

IOCS

Observables

18 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

18 IOCsView more in app

Domains

7 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com

hash.sha256

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

uri

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

ip.v4

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

bleeping computerNews

Mar 13, 2026

FBI seeks victims of Steam games used to spread malware

Used malicious Steam-hosted game content to deliver malware for credential theft, browser data theft, cookie theft, and cryptocurrency wallet theft.

the hacker newsNews

Mar 11, 2026

DevSecOps - Latest News, Reports & Analysis | The Hacker News

Financially motivated group targeting Web3 developers using fake AI platforms and social engineering lures to deploy stealer malware and harvest data from cryptocurrency wallets. The content also notes the group has a history of deploying ransomware.

splunk researchNews

Feb 25, 2026

Detection: Mmc LOLBAS Execution Process Spawn | Splunk Security Content

Referenced only as an associated analytic story; no specific threat actor activity, targeting, malware, or operations are described in the content.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Financially motivated actor using a mix of social engineering and exploitation (notably CVE-2025-26633 / MSC EvilTwin) to deliver stealer malware (e.g., Fickle Stealer) and target Web3 developers via fake AI platforms.

+23 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping23

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal10

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables18

Domains, IPs, and hashes tied to this actor, refreshed continuously.