Summary: A threat actor named EncryptHub has exploited a Microsoft Management Console vulnerability (CVE-2025-26633) to conduct Windows zero-day attacks, allowing them to bypass security features and execute malicious code. Researchers from Trend Micro reported multiple delivery methods and certifications used in these attacks, with indications of ongoing development of these techniques. The attacks have led to data exfiltration from compromised systems and have been linked to broader operations involving breaches and ransomware deployments.
Affected: Microsoft Management Console (Windows operating systems)
Keypoints :
- EncryptHub has been exploiting CVE-2025-26633 to manipulate .msc files and evade Windows security.
- Attack scenarios involve email attachments and compromised websites delivering the malicious files.
- Previous EncryptHub attacks demonstrate the use of various malicious payloads, including infostealers and ransomware.
- Over 618 organizations worldwide have been affected by EncryptHub’s spear-phishing and social engineering tactics.
- Microsoft has also patched another zero-day vulnerability, CVE-2025-24983, this month.