The reported flaws are CVE-2025-24061 (Mark of the Web bypass) and CVE-2025-24071 (File Explorer spoofing), which Microsoft fixed in its March 2025 Patch Tuesday updates, giving credit to the reporter as ‘SkorikARI.’ In this absurd incident, the actor had dual identities—EncryptHub and SkorikARI. The entire case shows us an individual who works in both cybersecurity and cybercrime.
Discovery of EncryptHub’s dual identity
Outpost24 linked SkorikARI and EncryptHub via a security breach, where the latter mistakenly revealed their credentials, exposing links to multiple accounts. The disclosed profile showed the actor’s swing between malicious activities and cybersecurity operations.
Actor tried to sell zero-day on dark web
Outpost24’ security researcher Hector Garcia said the “hardest evidence was from the fact that the password files EncryptHub exfiltrated from his system had accounts linked to both EncryptHub” such as credentials to EncryptRAT- still in development, or “his account on xss.is, and to SkorikARI, like accesses to freelance sites or his own Gmail account.”
Garcia also said there was a login to “hxxps://github[.]com/SkorikJR,” which was reported in July’s Fortinet story about Fickle Stealer; this helped them solve the puzzle. Another big reveal of the links to dual identity was ChatGPT conversations, where activities of both SkorikARI and EncryptHub could be found.
Zero-day activities and operational failures in the past
Evidence suggests this wasn't EncryptHub's first involvement with zero-day flaws, as the actor has tried to sell it to other cybercriminals on hacking forums.
Outpost24 highlighted EncryptHub's suspicious activities- oscillating between cybercrime and freelancing. An accidental operational security (OPSEC) disclosed personal information despite their technical expertise.
EncryptHub and ChatGPT
Outpost24 found EncryptHub using ChatGPT to build phishing sites, develop malware, integrate code, and conduct vulnerability research. One ChatGPT conversation included a self-assessment showing their conflicted nature: “40% black hat, 30% grey hat, 20% white hat, and 10% uncertain.” The conversation also showed plans for massive (although harmless) publicity stunts affecting tens of thousands of computers.
Impact
EncryptHub has connections with ransomware groups such as BlackSuit and RansomHub who are known for their phishing attacks, advanced social engineering campaigns, and making of Fickle Stealer- a custom PowerShell-based infostealer.
