EncryptHub social engineering and vulnerability exploitation campaign
Campaign
Summary
Hide ▲
Show ▼
EncryptHub is running a broad, ongoing campaign that blends social engineering with technical exploitation to bypass defenses and gain control over internal environments. The operation uses Microsoft Teams lures, rogue MSC files, and abuse of CVE-2025-26633 to drive infections. It matters because the activity is still active, multi-stage, and built to deliver payloads while maintaining persistence and command-and-control access.
Related Happenings
GlassWorm campaign returns in repeated waves across extension marketplaces
Campaign
First: 01.01.2026 17:18
Last: 01.01.2026 17:18
Sources 1
About this happening:
**GlassWorm** is an ongoing **supply-chain attack** targeting developers through the **OpenVSX** and **Microsoft Visual Studio Marketplace** extension ecosystems. In the latest co...
GlassWorm campaign returns in repeated waves across extension marketplaces
CampaignAbout this happening: **GlassWorm** is an ongoing **supply-chain attack** targeting developers through the **OpenVSX** and **Microsoft Visual Studio Marketplace** extension ecosystems. In the latest co...
Latest development: 17.03.2026 23:42
GlassWorm renewed its supply-chain campaign with a coordinated wave that compromised 433 components across GitHub, npm, and VSCode/OpenVSX this month, including 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. Attackers compromised GitHub accounts to force-push malicious commits, then published obfuscated packages and extensions that queried a Solana blockchain C2 channel every five seconds and delivered a Node.js-based JavaScript infostealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.
Microsoft Teams and Defender for Office 365 add centralized external-user blocking controls
Security Tool/Service
First: 24.12.2025 18:22
Last: 24.12.2025 18:22
Sources 1
About this happening:
**Microsoft Teams** is gaining centralized controls that let security admins block **external users**, suspicious **domains**, and malicious content handling in **Defender for Off...
Microsoft Teams and Defender for Office 365 add centralized external-user blocking controls
Security Tool/ServiceAbout this happening: **Microsoft Teams** is gaining centralized controls that let security admins block **external users**, suspicious **domains**, and malicious content handling in **Defender for Off...
Ink Dragon European government relay-node campaign
Campaign
First: 17.12.2025 11:30
Last: 17.12.2025 11:30
Sources 1
About this happening:
A **China-linked** group is turning **misconfigured European government servers** into relay nodes to hide **cyber-espionage**, expanding the operational footprint and making dete...
Ink Dragon European government relay-node campaign
CampaignAbout this happening: A **China-linked** group is turning **misconfigured European government servers** into relay nodes to hide **cyber-espionage**, expanding the operational footprint and making dete...
VS Code Marketplace malicious extension campaign using disguised dependency payloads
Campaign
First: 11.12.2025 18:00
Last: 11.12.2025 18:00
Sources 1
About this happening:
A **malicious VS Code extension campaign** has spread through **19 extensions**, creating supply-chain risk for **developers** using the marketplace. The operation has been **acti...
VS Code Marketplace malicious extension campaign using disguised dependency payloads
CampaignAbout this happening: A **malicious VS Code extension campaign** has spread through **19 extensions**, creating supply-chain risk for **developers** using the marketplace. The operation has been **acti...
Storm-0249 SentinelOne EDR abuse for stealthy malware execution
Malware Activity
First: 09.12.2025 17:24
Last: 09.12.2025 17:24
Sources 1
About this happening:
**Storm-0249** is abusing **SentinelOne EDR** components and trusted **Windows utilities** to load malware, establish **C2**, and maintain persistence, increasing the risk that th...
Storm-0249 SentinelOne EDR abuse for stealthy malware execution
Malware ActivityAbout this happening: **Storm-0249** is abusing **SentinelOne EDR** components and trusted **Windows utilities** to load malware, establish **C2**, and maintain persistence, increasing the risk that th...
Timeline
-
16.08.2025 08:34 1 articles · 9mo ago
EncryptHub campaign abusing CVE-2025-26633
Initial DisclosureEncryptHub, also tracked as LARVA-208 and Water Gamayun, is continuing a campaign on Microsoft Windows that blends social engineering with exploitation of CVE-2025-26633 (MSC EvilTwin) to deliver malicious payloads, establish persistence, and communicate with command-and-control infrastructure. The activity includes Microsoft Teams lures, rogue Microsoft Console (MSC) files, abuse of Brave Support for staging, and payloads such as SilentCrystal and Fickle Stealer.
Show sources
- Russian Group EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware — thehackernews.com — 16.08.2025 08:34