Introduction
In the intricate world of cybersecurity, the line between ethical hacking and cybercrime has always been blurred. Some individuals who begin their journey with the intent to protect often find themselves seduced by the allure of the dark web. Conversely, others who start with malicious intent occasionally find their way back into the folds of legitimate research. One such figure making waves in 2025 is a threat actor operating under the alias EncryptHub, also known by the monikers LARVA-208, Water Gamayun, and SkorikARI.
In a remarkable twist of fate, Microsoft recently credited EncryptHub for responsibly disclosing two critical vulnerabilities in Windows, despite the individual’s notorious reputation for being behind more than 618 breaches across high-value targets. This acknowledgment has reignited debates around the complicated dynamics of redemption, recognition, and the evolving role of threat actors in cybersecurity research.
In this blog, we dive deep into the dual life of EncryptHub, examining how a self-taught hacker became a central figure in modern cybercrime while simultaneously contributing to legitimate vulnerability research. We also explore the technical details of the reported vulnerabilities, the methods used in past campaigns, and what this means for the future of cybersecurity.
The Journey of EncryptHub: From Ukraine to Cyber Underground
The persona known as EncryptHub first appeared in threat intelligence reports in mid-2024. However, his digital fingerprints trace back to nearly a decade earlier. Born in Kharkov, Ukraine, the individual behind EncryptHub reportedly relocated to the Romanian coast amidst regional instability, seeking both personal security and professional opportunity.
What makes EncryptHub’s story compelling is the self-taught nature of his skills. Without formal academic training, he reportedly learned computer science through online courses and forums. This independent study was supplemented with freelance gigs in web and app development. However, the rewards of legitimate work seemed insufficient.
Cryptic Beginnings: Malware Campaigns and GitHub Abuse
EncryptHub’s first major appearance in the malware ecosystem came via the Fickle Stealer, a Rust-based information stealer first documented by Fortinet FortiGuard Labs in June 2024. Distributed through compromised websites and spam campaigns, Fickle Stealer became known for its efficiency in bypassing corporate antivirus systems.
“Fickle delivers results on systems where StealC or Rhadamantys would never work,” EncryptHub bragged in a chat with a security researcher.
The malware was hosted on a GitHub repository under the same name as the actor, signaling poor operational security (OpSec). Researchers were quick to associate the threat actor with both the repository and other connected infrastructure.
In addition to Fickle Stealer, EncryptHub developed and distributed EncryptRAT, a sophisticated remote access tool (RAT) used for persistent surveillance and data exfiltration. These tools were marketed on underground forums and shared privately, bolstering EncryptHub’s reputation.
CVE-2025-24061 and CVE-2025-24071: Breaking Down the Bugs
In March 2025, Microsoft patched two vulnerabilities that were responsibly disclosed by a researcher going by the alias “SkorikARI with SkorikARI,” later confirmed to be EncryptHub. The details of the vulnerabilities are as follows:
- CVE-2025-24061 – Mark-of-the-Web (MotW) Security Feature Bypass (CVSS 7.8)
- This vulnerability allowed attackers to bypass the MotW tagging mechanism, enabling them to execute malicious files without security warnings. It had severe implications for phishing campaigns and malware execution.
- CVE-2025-24071 – Windows File Explorer Spoofing Vulnerability (CVSS 6.5)
- This flaw permitted a crafted payload to manipulate how File Explorer displayed file origins, enabling deceptive tactics to convince users to open malicious attachments.
These reports revealed an unprecedented scenario: a known threat actor being acknowledged for his contribution to security. While Microsoft has a policy of crediting researchers regardless of past activities, this instance drew significant attention due to EncryptHub’s high-profile criminal record.
Zero-Day Exploits and MSC EvilTwin
Just weeks before his white-hat turn, EncryptHub was implicated in the zero-day exploitation of CVE-2025-26633, also known as MSC EvilTwin—a flaw in Microsoft Management Console (MMC). This vulnerability allowed the stealthy deployment of malware loaders and backdoors such as SilentPrism and DarkWisp.
These backdoors were deployed across industries, from finance and healthcare to government and critical infrastructure. According to PRODAFT and Outpost24 KrakenLabs, over 618 organizations were affected in under nine months. The actor even maintained a Telegram channel to monitor infection metrics, where another user had administrative privileges—suggesting potential collaboration or outsourcing.
Life in the Shadows: Poor OpSec and Identity Exposure
Despite his growing sophistication, EncryptHub made several critical OpSec mistakes. Investigators from Outpost24 were able to trace several domains used in malware campaigns back to legitimate freelance work he had previously listed online. The use of the same usernames, passwords, and domain registration data across both personal and criminal infrastructures eventually unmasked him.
There’s evidence that EncryptHub may have been arrested in early 2022, possibly accounting for the brief hiatus in online activity. Upon release, he resumed seeking freelance work and allegedly dabbled in bug bounty programs before shifting fully into cybercrime in early 2024.
The Role of ChatGPT in Malware Development
EncryptHub reportedly relied on OpenAI’s ChatGPT for various stages of malware development. From writing code snippets to translating phishing emails and even composing forum posts, he used the AI tool as both a productivity booster and a confidant.
This raises significant ethical and technological concerns about how AI-powered tools may be aiding both sides of the cybersecurity divide.
The Ethical Quandary: Should Criminals Be Credited?
Microsoft’s decision to credit EncryptHub for the discovery of CVE-2025-24061 and CVE-2025-24071 ignited fierce discussions in the infosec community. Should individuals with a history of cybercrime be acknowledged for their positive contributions?
Arguments For:
- Redemption: Recognition may encourage threat actors to reform.
- Skill Acknowledgment: Technical merit should be judged separately from intent.
- Threat Insight: Criminals often have first-hand knowledge of exploits before anyone else.
Arguments Against:
- Legitimizing Crime: Acknowledgment could incentivize dual-role actors.
- Mixed Signals: Undermines efforts to prosecute cybercrime.
- Trust Issues: Can such individuals be relied on to act ethically in the future?
SEO Focus: EncryptHub, Windows Vulnerabilities, Cybersecurity Research, Cybercrime, Fickle Stealer, EncryptRAT, CVE-2025-24061, CVE-2025-24071, MSC EvilTwin, Microsoft Patch Tuesday
To boost SEO, this blog utilizes keyword-rich headers and contextual phrases to rank for relevant queries such as:
- “EncryptHub hacker profile”
- “Windows vulnerabilities 2025”
- “Cybercriminals turned security researchers”
- “Rust-based malware Fickle Stealer”
- “Microsoft CVE 2025 patches”
Lessons Learned: What the EncryptHub Case Teaches Us
For Security Teams:
- Monitor unusual behavior in application logs
- Enforce strict OpSec policies for internal developers
- Use threat intelligence to track known criminal aliases
For Freelancers and Developers:
- Keep ethical lines clear between testing and exploitation
- Participate in bug bounty platforms within legal bounds
- Understand that actions taken anonymously may still be traced
For Enterprises:
- Patch systems promptly, especially post-Patch Tuesday
- Train employees on social engineering and phishing detection
- Consider behavior-based detection alongside signature-based tools
Conclusion: The Thin Line Between White and Black Hats
The story of EncryptHub is as fascinating as it is cautionary. It underscores the blurred boundaries between ethical hacking and cybercrime, between contribution and exploitation. As technology evolves, so do the people wielding it—sometimes in surprising and contradictory ways.
EncryptHub’s journey—from a young coder fleeing conflict to becoming a cybercriminal mastermind and now a credited vulnerability researcher—exemplifies the complex personas operating in the cyber realm. It also calls into question our definitions of trust, redemption, and recognition in the digital age.
As we move forward, one thing is clear: cybersecurity isn’t just a technical battlefield—it’s a human one too.
Stay Updated. Stay Secure.
Subscribe to our blog for the latest updates on cybersecurity threats, vulnerability disclosures, and hacker profiles.
SoloSecurities
Add comment