Microsoft has acknowledged a controversial hacker known as EncryptHub for discovering and reporting two Windows security vulnerabilities last month, revealing an intriguing case of a cybersecurity professional who appears to straddle both legitimate and criminal activities.
According to research by Outpost24 KrakenLabs, EncryptHub, who relocated from Kharkov, Ukraine to Romania's coastal region about a decade ago, was credited under the alias "SkorikARI" for identifying two flaws that Microsoft patched in its recent update:
- A Windows Mark-of-the-Web security bypass vulnerability (CVE-2025-24061)
- A Windows File Explorer spoofing vulnerability (CVE-2025-24071)
The hacker, also known as LARVA-208 and Water Gamayun, has been linked to over 618 breaches targeting high-value organizations across multiple industries in just nine months. Their activities include distributing malware through a fake WinRAR website and exploiting a zero-day vulnerability in Microsoft Management Console.
Outpost24's investigation revealed that EncryptHub likely operates alone, though evidence suggests possible collaboration with others. The research team traced the hacker's activities through security mistakes, including self-infections that exposed their infrastructure.
The hacker's journey appears complex - after relocating near Romania, they pursued computer science education online while seeking legitimate tech employment. Their activities paused during early 2022, coinciding with the Russo-Ukrainian war and a possible period of incarceration.
Upon returning to activity, EncryptHub initially attempted legitimate work as a freelance developer and bug bounty hunter before allegedly turning to cybercrime in 2024. Their criminal ventures include developing Fickle Stealer, a sophisticated information-stealing malware, and EncryptRAT.
Notably, EncryptHub extensively used ChatGPT for malware development, translation, and even as a confessional tool. Despite their technical expertise, basic operational security mistakes ultimately led to their exposure.
The case highlights the complex nature of modern cybersecurity threats, where skilled individuals may simultaneously contribute to both system security and criminal activities.