A known Russian ransomware group, EncryptHub—linked to the larger RansomHub operation—was actively exploiting a critical Windows zero-day vulnerability before Microsoft issued a fix earlier this month.
According to security experts at Trend Micro, the vulnerability, tracked as CVE-2025-26633, affected the Microsoft Management Console (MMC) and was being abused in live attacks to deploy ransomware and steal sensitive data. The flaw was among six zero-days addressed by Microsoft during its latest Patch Tuesday rollout.
Trend Micro’s threat researchers attributed the attack to EncryptHub, an affiliate of the RansomHub gang that the firm internally refers to as Water Gamayun. The group was observed targeting MMC’s handling of Microsoft Console files (.msc) and the Multilingual User Interface Path (MUIPath)—a feature that can be manipulated to load malicious files over legitimate ones.
In these stealthy intrusions, the attackers crafted two identically named .msc files: one clean version and one malicious, placed in the “en-US” directory. Once mmc.exe is run, the Windows system unknowingly loads the malicious version via MUIPath, allowing the attackers to execute harmful commands without raising red flags.
Even more troubling, the group also abused the ExecuteShellCommand function in MMC’s ActiveX control snap-in. This allowed them to initiate shell command executions, fetch remote payloads, and run them directly on compromised machines.
Trend Micro’s analysts noted another technique involving fake trusted directories. By mimicking legitimate Windows system paths, attackers made it appear as though their malicious payloads originated from authentic sources, further bypassing user suspicion and endpoint detection.
The campaign, according to the report, is still evolving. The group is experimenting with various delivery mechanisms and custom-built malware. Among the malicious tools deployed are:
- EncryptHub stealer – used for harvesting credentials and sensitive data
- DarkWisp backdoor – enabling remote access
- SilentPrism backdoor – a stealthy persistence tool
- Rhadamanthys stealer – a known information-stealing malware
These tools are modular and flexible, allowing the attackers to tailor each breach depending on the target.
This isn’t the first time Microsoft’s MMC has been a target. Just months ago, Microsoft confirmed attackers were using tampered MSC files to run unauthorized remote code on Windows systems—a reminder that core system utilities remain attractive targets for cybercriminals.
