A lone wolf actor, known as EncryptHub, has been acknowledged by Microsoft for discovering and reporting two security flaws in Windows last month. This acknowledgement has shed light on a “conflicted” individual who is balancing a legitimate career in cybersecurity with a life of cybercrime.

In a recent analysis published by Outpost24 KrakenLabs, the Swedish security company has unmasked the up-and-coming cybercriminal. According to the report, the individual fled their hometown in Kharkov, Ukraine, around 10 years ago and moved to a new location near the Romanian coast.

The vulnerabilities were credited by Microsoft to a party named “SkorikARI with SkorikARI,” which has been assessed to be another username used by EncryptHub. The two security flaws, both of which were fixed by Redmond as part of its Patch Tuesday update last month, are as follows:

• CVE-2025-24061 (CVSS score: 7.8) – Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
• CVE-2025-24071 (CVSS score: 6.5) – Microsoft Windows File Explorer Spoofing Vulnerability

EncryptHub, also tracked under the monikers LARVA-208 and Water Gamayun, was highlighted in mid-2024 for their involvement in a campaign that leveraged a fake WinRAR site to distribute various kinds of malware hosted on a GitHub repository named “encrypthub.”

In recent weeks, the threat actor has been linked to the zero-day exploitation of another security flaw in Microsoft Management Console (CVE-2025-26633, CVSS score: 7.0, aka MSC EvilTwin) to deliver information stealers and previously undocumented backdoors named SilentPrism and DarkWisp.

According to PRODAFT, EncryptHub is estimated to have compromised over 618 high-value targets across multiple industries in the last nine months of its operation.

Lidia Lopez, Senior Threat Intelligence Analyst at Outpost24, stated, “All data analyzed throughout our investigation points to the actions of a single individual.” However, she also noted, “We cannot rule out the possibility of collaboration with other threat actors. In one of the Telegram channels used to monitor infection statistics, there was another Telegram user with administrative privileges, suggesting potential cooperation or assistance from others without a clear group affiliation.”

Outpost24 was able to piece together EncryptHub’s online footprint from the “actor’s self-infections due to poor operational security practices,” uncovering new aspects of their infrastructure and tooling in the process.

The individual is believed to have kept a low profile after moving to an unspecified location near Romania, where they studied computer science through online courses and sought computer-related jobs.

All of the threat actor’s activity, however, abruptly ceased in early 2022, coinciding with the onset of the Russo-Ukrainian war. Outpost24 found evidence suggesting that the individual was jailed around the same time.

“Once released, he resumed his job search, this time offering freelance web and app development services, which gained some traction,” the company said in the report. “But the pay likely wasn’t enough, and after briefly trying bug bounty programs with little success, we believe he pivoted to cybercrime in the first half of 2024.”

One of EncryptHub’s earliest ventures in the cybercrime landscape is Fickle Stealer, which was first documented by Fortinet FortiGuard Labs in June 2024 as a Rust-based information stealer malware distributed via multiple channels.

In a recent interview with security researcher g0njxa, the threat actor claimed that Fickle “delivers results on systems where StealC or Rhadamantys (sic) would never work” and that it “passes high-quality corporate antivirus systems.” They also stated that the stealer is not only being shared privately but is also “integral” to another product dubbed EncryptRAT.

“We were able to associate Fickle Stealer with an alias previously tied to EncryptHub,” Lopez said. “Additionally, one of the domains linked to that campaign matches infrastructure connected to his legitimate freelance work. From our analysis, we estimate EncryptHub’s cybercriminal activity began around March 2024. Fortinet’s reporting in June likely marks the first public documentation of these actions.”

EncryptHub is also said to have relied extensively on OpenAI’s ChatGPT to assist with malware development, even using it to aid in translating emails and messages and as a confessional tool.

“EncryptHub’s case highlights how poor operational security remains one of the most critical weaknesses for cybercriminals,” Lopez pointed out. “Despite technical sophistication, basic mistakes – like password reuse, exposed infrastructure, and mixing personal with criminal activity – ultimately led to his exposure.”