Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

SilentCrystal

SilentCrystal is a Golang-compiled loader associated with the Russian financially motivated threat actor EncryptHub, also tracked as LARVA-208 and Water Gamayun. It has been observed in campaigns exploiting the Windows Microsoft Management Console vulnerability CVE-2025-26633 ("MSC EvilTwin") as part of multi-stage intrusion chains that combine social engineering with technical exploitation. Researchers described SilentCrystal as part of EncryptHub’s shift toward stealthier and more resilient tooling.

SilentCrystal abuses Brave Support, a legitimate Brave browser support platform, to host next-stage malware. It sends a POST request to a command-and-control server using a hardcoded API key and a randomly generated .zip filename; the server responds with a Brave Support link to a ZIP archive containing weaponized .msc files used in the CVE-2025-26633 attack chain. Trustwave assessed the actor likely had unauthorized access to a Brave Support account with file-upload permissions. SilentCrystal also creates a deceptive directory path, "C:\Windows \System32," using a trailing space after "Windows," and replaces a {URI} placeholder inside a WF.msc file with a malicious C2 URL before triggering execution via the CVE-2025-26633 behavior.

The malware has been described as mirroring functionality previously implemented in PowerShell scripts used by the group to deploy malicious .msc files. In the broader observed campaigns, EncryptHub used Microsoft Teams and fake IT-support or videoconferencing lures to initiate infection, with downstream payloads including PowerShell scripts for reconnaissance, persistence, C2 communications, and delivery of additional malware such as Fickle Stealer. SilentCrystal itself is specifically identified as the Go-based loader stage used to retrieve and prepare the malicious payload archive for this exploitation chain.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-26633MSC EvilTwinExploited in the wild

Also deployed by the threat actor ... is a Go-based loader codenamed SilentCrystal, which abuses Brave Support ... to host next-stage malware. | Trustwave SpiderLabs said it recently observed an EncryptHub campaign that brings together social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger the infection routine via a rogue Microsoft Console (MSC) file.

via the hacker newsthehackernews.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
EncryptHub

Researchers identified new tools like SilentCrystal and a Golang SOCKS5 backdoor, showcasing EncryptHub's shift towards stealthier and resilient methods.

via scworldscworld.com
INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app10 months ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
scworldNews
Aug 18, 2025
EncryptHub exploits Windows flaw CVE-2025-26633 with rogue MSC files

Tool/malware used in EncryptHub’s campaign; described as a new tool associated with stealthier, more resilient operations. Specific capabilities are not detailed in the provided content beyond being part of the toolset alongside a SOCKS5 backdoor.

Read more
the hacker newsNews
Aug 16, 2025
Russian Group EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware

Go-based loader used by EncryptHub to stage/host and deliver next-stage malware (ZIP containing weaponized MSC files) via abuse of Brave Support.

Read more
trustwave spiderlabs blogNews
Aug 13, 2025
When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub’s Expanding Arsenal

Golang-compiled loader used to stage and deliver EncryptHub payloads; abuses Brave Support to host/download a ZIP payload, prepares/patches .msc content, and triggers execution via MMC (.msc) abuse in conjunction with CVE-2025-26633 (MSC EvilTwin).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.