Microsoft Acknowledges Hacker EncryptHub for Windows Vulnerability Disclosures
Microsoft has credited the individual known as EncryptHub, believed to be behind over 600 data breaches, with identifying and reporting two Windows security vulnerabilities. This revelation paints a complex picture of a figure seemingly balancing cybersecurity contributions with a history of malicious cyber activity, blurring the lines between ethical hacker and cybercriminal.

Ever heard of EncryptHub? Microsoft recently gave them a shout-out for finding a couple of Windows security flaws. But here's the twist: this "lone wolf" might be leading a double life, juggling a legit cybersecurity career with… well, cybercrime.
Security firm Outpost24 KrakenLabs did a deep dive and uncovered some interesting stuff. Apparently, this up-and-coming cybercriminal (around 10 years ago) left his hometown in Ukraine and relocated somewhere near the Romanian coast.
Microsoft credited the vulnerabilities to "SkorikARI with SkorikARI," which seems to be another alias for EncryptHub. These flaws were patched in last month's Patch Tuesday update. Here's a quick rundown:
- CVE-2025-24061 (CVSS score: 7.8) - A bypass vulnerability related to Windows Mark-of-the-Web (MotW).
- CVE-2025-24071 (CVSS score: 6.5) - A spoofing vulnerability in Windows File Explorer.
EncryptHub, also known as LARVA-208 and Water Gamayun, was previously spotlighted for using a fake WinRAR site to spread malware from a GitHub repo named "encrypthub." Sneaky, right?
And it gets even more interesting. They've also been linked to the exploitation of a zero-day flaw in Microsoft Management Console (CVE-2025-26633) to deliver info stealers and some previously unknown backdoors called SilentPrism and DarkWisp.
PRODAFT estimates that EncryptHub has compromised over 600 high-value targets in just nine months.
"Our investigation points to a single individual," Lidia Lopez from Outpost24 told The Hacker News. "However, we can't completely rule out collaboration. There's evidence of another user with admin privileges in one of their Telegram channels, suggesting possible help from others."
Outpost24 pieced together EncryptHub's online activity thanks to their "poor operational security," uncovering details about their infrastructure and tools.
After moving near Romania, they reportedly studied computer science through online courses and looked for computer-related jobs.
Interestingly, their online activity seemed to stop in early 2022, around the time the Russo-Ukrainian war started. Outpost24 found evidence suggesting they were jailed around that time.
"After being released, they started offering freelance web and app development services," the report states. "But the pay probably wasn't enough. After trying bug bounty programs with little success, we think they turned to cybercrime in early 2024."
One of EncryptHub's early cybercrime ventures was Fickle Stealer, a Rust-based info stealer discovered by Fortinet FortiGuard Labs in June 2024.
In a recent interview, EncryptHub claimed Fickle "delivers results on systems where StealC or Rhadamantys (sic) would never work" and "passes high-quality corporate antivirus systems." They also mentioned it's "integral" to another product called EncryptRAT.
"We connected Fickle Stealer to an alias linked to EncryptHub," Lopez explained. "One of the domains used in that campaign also matches infrastructure related to their freelance work. We estimate EncryptHub's cybercriminal activities started around March 2024."
EncryptHub apparently used OpenAI's ChatGPT for malware development, translating emails, and even as a sort of "confessional tool."
"EncryptHub's case shows that poor operational security is still a major weakness for cybercriminals," Lopez concluded. "Despite their technical skills, basic mistakes like password reuse, exposed infrastructure, and mixing personal and criminal activity led to their exposure."