Microsoft Windows MSC EvilTwin flaw (CVE-2025-26633)
Vulnerability
Summary
Hide ▲
Show ▼
EncryptHub is actively abusing CVE-2025-26633 in the Microsoft Management Console (MMC) framework to launch payloads through a rogue MSC file, creating ongoing risk for Windows systems. The flaw is now patched, but the campaign still uses it as an infection trigger. The technique helps the actor bypass defenses and gain a foothold in internal environments. The observed abuse is part of a broader intrusion chain that pairs social engineering with technical exploitation.
Related Happenings
Storm-1175 high-velocity exploit campaign
Campaign
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Langflow CVE-2026-33017 exploitation wave
Exploitation Wave
First: 20.03.2026 12:20
Last: 20.03.2026 12:20
Sources 1
About this happening:
**CVE-2026-33017** in **Langflow** is being exploited in a fast-moving **early wave** that surfaced within **20 hours** of the advisory, putting exposed instances at immediate ris...
Langflow CVE-2026-33017 exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-33017** in **Langflow** is being exploited in a fast-moving **early wave** that surfaced within **20 hours** of the advisory, putting exposed instances at immediate ris...
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation Wave
First: 16.01.2026 11:15
Last: 16.01.2026 11:15
Sources 1
About this happening:
**RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation WaveAbout this happening: **RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
SOAPwn research on .NET WSDL proxy abuse enabling file writes and RCE
Technical Analysis
First: 10.12.2025 21:21
Last: 10.12.2025 21:21
Sources 1
About this happening:
Researchers exposed **SOAPwn**, a .NET Framework exploitation path that turns attacker-controlled **WSDL** input and **HTTP client proxies** into **arbitrary file writes** and **r...
SOAPwn research on .NET WSDL proxy abuse enabling file writes and RCE
Technical AnalysisAbout this happening: Researchers exposed **SOAPwn**, a .NET Framework exploitation path that turns attacker-controlled **WSDL** input and **HTTP client proxies** into **arbitrary file writes** and **r...
Storm-0249 shifts from initial access brokering to stealth ransomware-enablement tactics
Threat Actor Meta
First: 09.12.2025 15:37
Last: 09.12.2025 15:37
Sources 1
About this happening:
**Storm-0249** is moving from **initial access brokering** to **domain spoofing**, **DLL side-loading**, and **fileless PowerShell** to support **ransomware attacks**. The shift m...
Storm-0249 shifts from initial access brokering to stealth ransomware-enablement tactics
Threat Actor MetaAbout this happening: **Storm-0249** is moving from **initial access brokering** to **domain spoofing**, **DLL side-loading**, and **fileless PowerShell** to support **ransomware attacks**. The shift m...
Timeline
-
16.08.2025 08:34 1 articles · 9mo ago
EncryptHub abuses CVE-2025-26633 on Microsoft Windows
Technical Analysis UpdateEncryptHub is observed combining social engineering and CVE-2025-26633 exploitation against Microsoft Windows targets, including a fake IT-department Microsoft Teams request, paired benign and malicious MSC files that trigger the Microsoft Management Console (MMC) flaw, and PowerShell-driven payload delivery that collects system information, establishes persistence, and retrieves Fickle Stealer from command-and-control infrastructure. The same intrusion chain also uses SilentCrystal to abuse Brave Support for hosting a ZIP archive with weaponized MSC files, and continues to use videoconferencing lures such as RivaTalk to push MSI installers that sideload a malicious DLL and run additional PowerShell.
Show sources
- Russian Group EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware — thehackernews.com — 16.08.2025 08:34