Hackers Use Phone Scams and New Exploits, Breached 618 Firms - 1

Image by vecstock, from Freepik

Hackers Use Phone Scams and New Exploits, Breached 618 Firms

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Hackers from EncryptHub combine social engineering tactics with sophisticated exploits, breaching over 600 organizations across the globe.

In a rush? Here are the quick facts:

  • EncryptHub hackers mix social engineering with advanced malware to breach systems.
  • Group already compromised 618 organizations worldwide, researchers warn.
  • Malware SilentCrystal hides in fake system folders, downloads via Brave Support.

Researchers from Trustwave SpiderLabs have uncovered a new hacking campaign by the group EncryptHub, which mixes phone scams with advanced technical tricks to break into victims’ computers.

The hackers start by pretending to be IT support staff, making direct phone calls to build trust with their targets. They then persuade victims to grant them access to their computers through Microsoft Teams, or remote desktop connections. Once connected, the attackers run commands that secretly download malware.

EncryptHub , also known as LARVA-208 and Water Gamayun, has already compromised 618 organizations worldwide. “Social engineering remains one of the most effective tools in a cybercriminal’s arsenal, and the emerging threat group EncryptHub has hopped right on the bandwagon to leverage,” the researchers said.

One of the main flaws used in this campaign is a Windows vulnerability called CVE-2025-26633, also known as ‘MSC EvilTwin’. It allows hackers to trick Windows into loading fake system files that run malicious code. The attackers use this loophole to take control of infected machines.

The hackers are also deploying new tools. One, called ‘SilentCrystal’, hides its malware in fake system folders and downloads payloads from Brave Support, a legitimate browser help platform. Another is a SOCKS5 proxy backdoor that secretly connects compromised computers to EncryptHub’s command centers.

In addition, the group has set up a fake video call service, rivatalk.net, to spread malicious installers disguised as conferencing software. Once installed, it runs hidden PowerShell scripts to steal data, maintain access, and disguise hacker traffic as normal browsing activity.

Trustwave SpiderLabs warns that EncryptHub is becoming more dangerous by blending scams, stolen trust, and new malware. They conclude the group is “a well-resourced and adaptive adversary,” making user awareness, patches, and fast response more critical than ever.

Fake Gmail Login Page Steals Credentials - 2

Image by Solen Feyissa, from Unsplash

Fake Gmail Login Page Steals Credentials

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

A new Gmail phishing attack is tricking users with fake voicemail notifications and stealing their login credentials through a highly sophisticated setup.

In a rush? Here are the quick facts:

  • New phishing attack targets Gmail users with fake voicemail notifications.
  • Attack abuses Microsoft Dynamics platform to bypass security filters.
  • Fake Gmail login steals passwords, 2FA codes, and recovery data.

The campaign, first identified by Anurag , begins with emails disguised as “New Voice Notification” alerts. These messages appear to come from trusted voicemail services and include a “Listen to Voicemail” button. Clicking it sends victims through a series of compromised websites.

The first stage is especially deceptive, hosted on Microsoft’s legitimate Dynamics marketing platform (assets-eur.mkt.dynamics.com). This use of trusted infrastructure gives the attack credibility and helps it slip past normal email security filters.

Afterward, users are sent to a CAPTCHA page on ‘horkyrown[.]com’, a domain registered in Pakistan. The CAPTCHA creates a false sense of security while being part of the malicious setup. The final step shows a flawless copy of Gmail’s login page, complete with Google branding.

Once users enter their information, the system captures not only emails and passwords but also two-factor authentication codes, backup recovery codes, and even answers to security questions. The data is exfiltrated to servers abroad before victims realize they’ve been compromised.

Anurag observed that “the malicious JavaScript powering the fake login page employs sophisticated obfuscation methods.” The code uses AES encryption to hide its purpose and contains anti-debugging tools that redirect users to the real Google login page if they try to inspect it..

Experts warn this campaign represents “a significant evolution in phishing techniques, combining social engineering with legitimate infrastructure abuse and advanced technical evasion methods.”

Gmail users are advised to be cautious of unexpected voicemail notifications and always verify login prompts through official Google channels. Those who suspect they were targeted should immediately change their passwords and review recent account activity.