A likely lone wolf actor behind the EncryptHub persona was acknowledged by Microsoft for discovering and reporting two security flaws in Windows last month, painting a picture of a “conflicted” individual straddling a legitimate career in cybersecurity and pursuing cybercrime.
In a new extensive analysis published by Outpost24 KrakenLabs, the Swedish security company unmasked the up-and-coming cybercriminal, who, about 10 years ago, fled his hometown in Kharkov, Ukraine, to a new place somewhere near the Romanian coast.
The vulnerabilities were credited by Microsoft to a party named “SkorikARI with SkorikARI,” which has been assessed to be another username used by EncryptHub. The flaws in question, both of which were fixed by Redmond as part of its Patch Tuesday update last month, are below –
- CVE-2025-24061 (CVSS score: 7.8) – Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
- CVE-2025-24071 (CVSS score: 6.5) – Microsoft Windows File Explorer Spoofing Vulnerability
EncryptHub, also tracked under the monikers LARVA-208 and Water Gamayun, was spotlighted in mid-2024 as part of a campaign that leveraged a bogus WinRAR site to distribute various kinds of malware hosted on a GitHub repository named “encrypthub.”
In recent weeks, the threat actor has been attributed to the zero-day exploitation of another security flaw in Microsoft Management Console (CVE-2025-26633, CVSS score: 7.0, aka MSC EvilTwin) to deliver information stealers and previously undocumented backdoors named SilentPrism and DarkWisp.
According to PRODAFT, EncryptHub is estimated to have compromised over 618 high-value targets across multiple industries in the last nine months of its operation.
“All data analyzed throughout our investigation points to the actions of a single individual,” Lidia Lopez, Senior Threat Intelligence Analyst at Outpost24, told The Hacker News.
“However, we cannot rule out the possibility of collaboration with other threat actors. In one of the Telegram channels used to monitor infection statistics, there was another Telegram user with administrative privileges, suggesting potential cooperation or assistance from others without a clear group affiliation.”
Outpost24 said it was able to piece together EncryptHub’s online footprint from the “actor’s self-infections due to poor operational security practices,” uncovering new aspects of their infrastructure and tooling in the process.
The individual is believed to have kept a low profile after moving to an unspecified place near Romania, studying computer science on their own by enrolling for online courses, while seeking computer-related jobs on the side.
All of the threat actor’s activity, however, abruptly ceased in early 2022 coinciding with the onset of the Russo-Ukrainian war. That said, Outpost24 said it has found evidence to suggest that he was jailed around the same time.
“Once released, he resumed his job search, this time offering freelance web and app development services, which gained some traction,” the company said in the report. “But the pay likely wasn’t enough, and after briefly trying bug bounty programs with little success, we believe he pivoted to cybercrime in the first half of 2024.”
One of EncryptHub’s earliest ventures in the cybercrime landscape is Fickle Stealer, which was first documented by Fortinet FortiGuard Labs in June 2024 as a Rust-based information stealer malware that’s distributed via multiple channels.
In a recent interview with security researcher g0njxa, the threat actor claimed that Fickle “delivers results on systems where StealC or Rhadamantys (sic) would never work” and that it “passes high-quality corporate antivirus systems.” They also stated that the stealer is not only being shared privately, it’s also “integral” to another product of theirs dubbed EncryptRAT.
“We were able to associate Fickle Stealer with an alias previously tied to EncryptHub,” Lopez said. “Additionally, one of the domains linked to that campaign matches infrastructure connected to his legitimate freelance work. From our analysis, we estimate EncryptHub’s cybercriminal activity began around March 2024. Fortinet’s reporting in June likely marks the first public documentation of these actions.”
EncryptHub is also said to have relied extensively on OpenAI’s ChatGPT to assist with malware development, even going to the extent of using it to aid in translating emails and messages and as a confessional tool.
“EncryptHub’s case highlights how poor operational security remains one of the most critical weaknesses for cybercriminals,” Lopez pointed out. “Despite technical sophistication, basic mistakes – like password reuse, exposed infrastructure, and mixing personal with criminal activity – ultimately led to his exposure.”
