Image by vecstock, from Freepik
Hackers Use Phone Scams and New Exploits, Breached 618 Firms
Reading time: 2 min
Last Updated: Aug 18, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Hackers from EncryptHub combine social engineering tactics with sophisticated exploits, breaching over 600 organizations across the globe.
In a rush? Here are the quick facts:
- EncryptHub hackers mix social engineering with advanced malware to breach systems.
- Group already compromised 618 organizations worldwide, researchers warn.
- Malware SilentCrystal hides in fake system folders, downloads via Brave Support.
Researchers from Trustwave SpiderLabs have uncovered a new hacking campaign by the group EncryptHub, which mixes phone scams with advanced technical tricks to break into victims’ computers.
The hackers start by pretending to be IT support staff, making direct phone calls to build trust with their targets. They then persuade victims to grant them access to their computers through Microsoft Teams, or remote desktop connections. Once connected, the attackers run commands that secretly download malware.
EncryptHub, also known as LARVA-208 and Water Gamayun, has already compromised 618 organizations worldwide. “Social engineering remains one of the most effective tools in a cybercriminal’s arsenal, and the emerging threat group EncryptHub has hopped right on the bandwagon to leverage,” the researchers said.
One of the main flaws used in this campaign is a Windows vulnerability called CVE-2025-26633, also known as ‘MSC EvilTwin’. It allows hackers to trick Windows into loading fake system files that run malicious code. The attackers use this loophole to take control of infected machines.
The hackers are also deploying new tools. One, called ‘SilentCrystal’, hides its malware in fake system folders and downloads payloads from Brave Support, a legitimate browser help platform. Another is a SOCKS5 proxy backdoor that secretly connects compromised computers to EncryptHub’s command centers.
In addition, the group has set up a fake video call service, rivatalk.net, to spread malicious installers disguised as conferencing software. Once installed, it runs hidden PowerShell scripts to steal data, maintain access, and disguise hacker traffic as normal browsing activity.
Trustwave SpiderLabs warns that EncryptHub is becoming more dangerous by blending scams, stolen trust, and new malware. They conclude the group is “a well-resourced and adaptive adversary,” making user awareness, patches, and fast response more critical than ever.
Latest articles 
