Microsoft Acknowledges EncryptHub—Hacker Linked to 618+ Breaches—for Reporting Windows Vulnerabilities

Microsoft recently acknowledged a lone wolf threat actor operating under the alias EncryptHub for discovering and responsibly disclosing two security vulnerabilities in Windows—an unusual move that highlights the individual’s apparent dual life straddling cybersecurity and cybercrime.

In a detailed report released by Swedish cybersecurity firm Outpost24 KrakenLabs, the actor was unmasked as a rising figure in the cybercriminal world. Around a decade ago, he reportedly fled his hometown of Kharkov, Ukraine, relocating near Romania’s coast.

The vulnerabilities, credited to “SkorikARI with SkorikARI”—believed to be another alias used by EncryptHub—were addressed by Microsoft in last month’s Patch Tuesday. The flaws included:

• CVE-2025-24061 (CVSS 7.8): Windows Mark-of-the-Web (MotW) Security Feature Bypass
• CVE-2025-24071 (CVSS 6.5): Windows File Explorer Spoofing

EncryptHub, also tracked as LARVA-208 and Water Gamayun, first came into the spotlight in mid-2024 for a campaign using a fake WinRAR site to distribute malware via a GitHub repository named “encrypthub.”

More recently, the actor has been linked to the exploitation of a zero-day flaw in Microsoft Management Console (CVE-2025-26633, CVSS 7.0, dubbed MSC EvilTwin), used to deploy information stealers and new backdoors named SilentPrism and DarkWisp.

According to threat intelligence firm PRODAFT, EncryptHub is believed to have compromised over 618 high-value targets across various sectors over the past nine months.

“All indicators point to a single operator,” said Lidia Lopez, Senior Threat Intelligence Analyst at Outpost24. “That said, we can’t dismiss the possibility of collaboration. One Telegram channel monitoring infection stats showed another user with admin rights, suggesting outside involvement—albeit without clear group ties.”

Outpost24 traced much of EncryptHub’s infrastructure and tooling thanks to lapses in operational security, including self-infection events, revealing a deeper view into the actor’s methods and digital footprint.

After relocating to an undisclosed area near the Romanian coast, the individual is believed to have kept a low profile, teaching himself computer science through online courses while searching for tech-related job opportunities.

However, all signs of the threat actor’s activity suddenly vanished in early 2022, aligning with the outbreak of the Russo-Ukrainian war. According to Outpost24, there is credible evidence suggesting he may have been incarcerated during that time.

“Following his release, he resumed looking for work, this time offering freelance web and app development services, which saw some initial success,” the report notes. “But the income likely proved insufficient. After a brief and unfruitful attempt at bug bounty hunting, we believe he transitioned to cybercrime in early 2024.”

One of EncryptHub’s earliest known entries into cybercrime was Fickle Stealer, a Rust-based information-stealing malware first reported by Fortinet FortiGuard Labs in June 2024. It was distributed through various channels and quickly gained traction.

In a recent interview with security researcher g0njxa, the actor claimed that Fickle performs effectively on systems where other stealers like StealC or Rhadamantys fail, adding that it can evade “high-quality corporate antivirus systems.” He also stated that Fickle is not only privately circulated but serves as a core component of another tool he developed, EncryptRAT.

“We linked Fickle Stealer to a known alias of EncryptHub,” explained Lidia Lopez of Outpost24. “One of the domains used in the campaign was also tied to his legitimate freelance infrastructure. Based on our investigation, we estimate his cybercriminal activity began around March 2024, with Fortinet’s June report marking the first public detection.”

EncryptHub is also believed to have heavily leveraged OpenAI’s ChatGPT—not just for malware development, but also to translate communications and, in some instances, as a sort of confessional outlet.

“EncryptHub’s case is a textbook example of how operational security failures remain a major vulnerability for cybercriminals,” Lopez added. “Despite a high level of technical skill, fundamental missteps—such as reusing passwords, exposing infrastructure, and blending personal and illicit activities—ultimately led to his identification.”