When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub's Expanding Arsenal
Aug. 15, 2025, 12:37 p.m.
Description
EncryptHub, an emerging threat group, has launched a campaign combining social engineering with exploitation of CVE-2025-26633 to deliver malicious payloads. The attackers impersonate IT support staff, use remote desktop sessions, and execute PowerShell commands to deploy malware. The campaign abuses the Brave Support platform to host payloads and employs new tools like SilentCrystal and a SOCKS5 proxy backdoor. EncryptHub also created a fake video call platform, RivaTalk, to distribute malware. The group's tactics include using AES-encrypted commands, generating fake browser traffic, and exploiting system vulnerabilities. This adaptive adversary highlights the need for layered defense strategies, ongoing threat intelligence, and user awareness training to mitigate risks.
Tags
Date
- Created: Aug. 14, 2025, 8:58 p.m.
- Published: Aug. 14, 2025, 8:58 p.m.
- Modified: Aug. 15, 2025, 12:37 p.m.
Indicators
- d2a2fc005adf75fa5e7338b2e76053ac44f3aedadc6b31fbec172d8e1c209a11
- eff721dc91044c7ae3e7918627ce1e61aec6ee959e4c9602eebe88150da18eba
- 8f1dfb086d11cb1c235d7d6d9889f9d7c34da6f01cf407508b3292e63fe5e034
- 7fbcc5dfccb73c27b69a055da37c7034336f420f7f09e7f639f0987cda124af8
- 6fb7fd9763d6b269793c80bbc03a1be358390781af4b698fba1591cb8dbb8825
- 6cfbf662f1444a8cdec263f311be6c5b73404c14b20e0570ab28b8fc62f7225b
- 5635dd2ea74ebc829f1f53777be22ad34bb6a14d7e1e2e90e25268f65aca1220
- 3ce029e547aae3d8e3a96347c7051bc81b60ec28f077645cbf31a32237a79797
- 3fcd387227dc5d4d49d38d60d80ad3ddf9d33d98f29a8bced1f1141d4ec80fea
- 3a89c1469067ddedf187145fc168fbc6cce8b754262ddde449c6d72c82ec25aa
- 20d813dcfd6b6a44b27a09cf2e780cccab2bfef9c9b1e506424ff240a571e69c
- 082fbf96c546fa58ccb72316a55b2c913ef9f551f7e761c7232a1477c14e6bb6
- https://api.rivatalk.net/meta/pay.ps1
- rivatalk.net
- cjhsbam.com
- 0daydreams.net