The researcher who reported two Windows bugs to Microsoft was exploiting a third

The dual-role problem

PRODAFT estimates EncryptHub compromised 618+ organizations in nine months. During that same stretch, the group filed vulnerability reports with Microsoft and received credit for two discoveries: CVE-2025-24061, a Mark of the Web bypass, and CVE-2025-24071, a File Explorer spoofing flaw. Standard coordinated disclosure, researcher name in the advisory.

While those reports were open, EncryptHub was actively exploiting CVE-2025-26633 as a zero-day against production targets. Not “around the same time,” not “in a different phase of their career.” Simultaneously. The same actor on Microsoft’s acknowledgment page and on a ransomware affiliate panel.

EncryptHub is tracked as Water Gamayun by Trend Micro, LARVA-208 by PRODAFT, and operates as an affiliate for RansomHub and BlackSuit ransomware. The ecosystem doesn’t sort neatly into defenders and attackers, and this is a clean illustration of why ops teams shouldn’t assume it does.

What MMC’s localization feature was never meant to do

The vulnerability itself is almost elegant in how little it asks of the operating system. Microsoft Management Console loads .msc snap-in files. When it opens one, it calls ScOnOpenDocument, which calls scGetMuiPath, which calls the Windows GetFileMUIPath API. That API checks whether a localized version of the file exists in a language subdirectory, like en-US\eventvwr.msc. If it finds one, MMC loads it instead.

No integrity check. No signature validation. No warning dialog.

The attack, which Trend Micro named “MSC EvilTwin,” drops two .msc files with the same name: a clean one where the user expects it, and a malicious copy in the locale subdirectory. MMC’s own localization logic does the rest. The malicious .msc contains an ExecuteShellCommand method that runs arbitrary commands, typically encoded PowerShell, through mmc.exe.

This is a Multilingual User Interface feature built for displaying help text in French or Japanese. Nobody at Microsoft designed it thinking about adversarial file placement, and that assumption held for years until it didn’t.

Delivery and payload

EncryptHub wasn’t subtle about delivery. Digitally signed MSI installers masquerading as DingTalk, QQTalk, and VooV Meeting. Phishing emails with .msc attachments. Windows provisioning packages (.ppkg). They also abused IntelliJ’s runnerw.exe as a living-off-the-land binary, a detail your detection team should note if JetBrains tools are in your environment.

The payloads tell you this is an operation, not a proof-of-concept: SilentPrism (PowerShell implant), DarkWisp (PowerShell backdoor over TCP 8080), Rhadamanthys Stealer, StealC, EncryptHub Stealer in three variants, and Fickle Stealer. At least six distinct tool families deployed through a single initial access vector. The stealer variants suggest active development, and the mix of custom implants with commodity stealers is consistent with a group running both espionage and monetization tracks.

MMC’s recurring problem

CVE-2025-26633 isn’t a one-off. MMC’s .msc attack surface has produced three distinct exploitation techniques in six years.

In 2018-2019, Check Point found XXE and URL injection flaws in MMC. A separate XSS in apds.dll was reported but never patched. In June 2024, Elastic Security Labs discovered attackers actively exploiting that unpatched 2018 apds.dll XSS in a technique they called GrimResource. MITRE gave it its own ATT&CK sub-technique: T1218.014. In October 2024, Microsoft patched CVE-2024-43572, another MMC RCE exploited in the wild.

Then March 2025 brings MSC EvilTwin. Three different ways to weaponize .msc files, from three different research groups, each exploiting a different aspect of the same component. The pattern suggests MMC’s security model wasn’t designed so much as inherited, and each new technique finds another assumption that nobody revisited.

Patching and hardening

Patch. The CVSS is 7.0 (High), which combined with the “Security Feature Bypass” title is exactly the combination that gets deprioritized on a busy cycle. Don’t let it. Microsoft addressed this in the March 11, 2025 Patch Tuesday release with no official workaround. Relevant KBs:

• Windows 11 24H2: KB5053598 (Build 26100.3476)
• Windows 11 23H2: KB5053602 (Build 22631.5039)
• Windows 10 / Server 2019 (1809): KB5053596

Every supported Windows version is affected, from Windows 10 through Server 2025. Additional KBs cover Server 2022, Server 2025, and older Windows 10 builds; check the MSRC advisory for the full matrix.

CISA added this to the KEV catalog on March 11, with a remediation deadline of April 1, 2025. If you’re in a federal environment or use the KEV as your compliance baseline, that deadline has already passed. Ransomware use is confirmed.

Beyond patching, harden the surface:

• Block .msc attachments at your mail gateway and web proxy. Your users don’t need to receive snap-in files by email.
• Restrict .msc execution via AppLocker or WDAC policies. This is the single most effective mitigation if you can’t patch immediately, but test it: blanket .msc blocking will break admin tooling.
• Monitor mmc.exe child processes. mmc.exe spawning PowerShell, cmd.exe, or rundll32.exe is not normal behavior. If your EDR isn’t alerting on this, it should be.
• Watch for .msc files written to MUI subdirectories outside of Windows Update. A file appearing in C:\Windows\System32\en-US\ that didn’t come from a servicing operation is a strong indicator.

CrowdStrike, Defender for Endpoint, and Trend Vision One all have detections. Cisco Talos published Snort rules. If you’re running something else, build detection around the child-process pattern; it’s the most reliable signal.

The window

This was patched in March 2025 and exploited in the wild before the patch shipped. Trend Micro’s research places early activity in early 2025. The CISA KEV deadline was April 1, 2025. If you’re reading this and haven’t applied the March cumulative update, you are over a year past the federal remediation deadline for a vulnerability with confirmed ransomware use.

The uncomfortable detail is that March 2025 Patch Tuesday included six actively exploited zero-days across 57 vulnerabilities. CVE-2025-26633 was one of six, alongside NTFS info disclosures, a Fast FAT RCE, and a Win32 Kernel privilege escalation. Cycles like that strain any patch operation, and the ones that get deferred are usually the ones that don’t have “Remote Code Execution” in the title. “Security Feature Bypass” sounds lower priority until you see what the bypass enables.

This is exactly the kind of signal-vs-noise problem that makes triage brutal on heavy patch cycles. PatchDay Alert’s daily digest flags which of those 57 vulnerabilities have exploitation evidence, so the ones with confirmed ransomware use don’t get lost in the sort order.

A localization feature built to serve help files in the right language. No integrity check. A threat actor who files vulnerability reports and runs ransomware operations from the same desk. MMC has been an attack surface for six years and counting. The assumptions baked into Windows components from a less adversarial era don’t age out quietly; they get CVE numbers.