EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.

The reported vulnerabilities are CVE-2025-24061 (Mark of the Web bypass) and CVE-2025-24071 (File Explorer spoofing), which Microsoft addressed during the March 2025 Patch Tuesday updates, acknowledging the reporter as ‘SkorikARI with SkorikARI .’

A new report by Outpost24 researchers has now linked the EncryptHub threat actor with SkorikARI after the threat actor allegedly infected himself and exposed their credentials.

This exposure allowed the researchers to link the threat actor to various online accounts and expose the profile of a person who vacillates between being a cybersecurity researcher and a cybercriminal.

One of the exposed accounts is SkorikARI, which the hacker used to disclose the two mentioned zero-day vulnerabilities to Microsoft, contributing to Windows security.

Hector Garcia, Security Analyst at Outpost24, told BleepingComputer that the link of SkorikARI to EncryptHub is based on multiple pieces of evidence, making up for a high-confidence assessment.

“The hardest evidence was from the fact that the password files EncrypHub exfiltrated from his own system had accounts linked to both EncryptHub, like credentials to EncryptRAT, which was still in development, or his account on xss.is, and to SkorikARI, like accesses to freelance sites or his own Gmail account,” explained Garcia.

“There was also a login to hxxps:// github[.]com/SkorikJR, which was mentioned in July’s Fortinet Article about Fickle Stealer, bringing it all together.”

“Another huge confirmation of the link between the two were the conversations with ChatGPT, where activity related both to EncryptHub and to SkorikARI can be observed.”

EncryptHub’s foray into zero-days is not new, with the threat actor or one of the members attempting to sell zero-days to other cybercriminals on hacking forums.

Outpost24 delved into EncryptHub’s journey, stating that the hacker repeatedly shifts between freelance development work and cybercrime activity.

Despite his apparent IT expertise, the hacker reportedly fell victim to bad opsec practices that allowed his personal information to be exposed.

This includes the hacker’s use of ChatGPT for developing malware and phishing sites, integrating third-party code, and researching vulnerabilities.

The threat actor also had a deeper, personal engagement with OpenAI’s LLM chatbot, in one case describing his accomplishments and asking the AI to categorize him as a cool hacker or malicious researcher.

Based on the provided inputs, ChatGPT assessed him as 40% black hat, 30% grey hat, 20% white hat, and 10% uncertain, reflecting a morally and practically conflicted individual.

The same conflict is reflected in his future planning on ChatGPT, where the hacker asks for the chatbot’s help in organizing a massive but “harmless” campaign impacting tens of thousands of computers for publicity.

Who is EncryptHub

EncryptHub is a threat actor that is believed to be loosely affiliated with ransomware gangs, such as RansomHub and the BlackSuit operations.

However, more recently, the threat actors have made a name for themselves with various social engineering campaigns, phishing attacks, and creating a custom PowerShell-based infostealer named Fickle Stealer.

The threat actor is also known for conducting social engineering campaigns where they create social media profiles and websites for fictitious applications.

In one example, researchers found that the threat actor created an X account and website for a project management application called GartoriSpace.

This site was promoted through private messages on social media platforms that would provide a code required to download the software. When downloading the software, Windows devices would receive a PPKG file [VirusTotal] that installed Fickle Stealer, and Mac devices would receive the AMOS information-stealer [VirusTotal].

EncryptHub has also been linked to Windows zero-day attacks exploiting a Microsoft Management Console vulnerability tracked as CVE-2025-26633. The flaw was fixed in March but was attributed to Trend Micro rather than the threat actor.

Overall, the threat actors’ campaigns appear to be working for them as a report by Prodaft says the threat actors have compromised over six hundred organizations.