Do Son 
Swedish cybersecurity experts have uncovered an extraordinary tale of a hacker who walks a fine line between legitimate professional recognition and cybercriminal enterprise. Just last month, he received an official commendation from Microsoft for identifying two serious vulnerabilities in Windows. However, as investigators at Outpost24 KrakenLabs revealed, he was simultaneously engaged in the creation of malicious software.
The vulnerabilities he discovered were indeed significant. The first, CVE-2025-24061, enabled attackers to bypass the crucial Mark-of-the-Web security mechanism and received a CVSS score of 7.8. The second, CVE-2025-24071, rated 6.5, opened the door to interface spoofing attacks within Windows Explorer. Listed in Microsoft’s vulnerability database under the name “SkorikARI with SkorikARI,” he is more widely known online as EncryptHub.
Ten years ago, he left his hometown of Kharkiv and settled along Romania’s coastline. There, he taught himself computer science through online courses, aspiring to find a career in the IT sector. After several unsuccessful attempts to earn through bug bounty programs, he turned his attention to developing malware.
His first major creation was Fickle Stealer, an infostealer written in Rust, first identified by Fortinet’s FortiGuard Labs in June 2024. In a recent interview with researcher g0njxa, the author proudly explained that the tool bypasses enterprise security systems and operates effectively where others, such as StealC or Rhadamantys, fail. This malicious code is distributed to a select clientele and embedded within his newer creation, EncryptRAT.
“We managed to link Fickle Stealer to one of EncryptHub’s former aliases,” explained Lydia Lopez, lead analyst at Outpost24. “Moreover, a domain used in that malicious campaign overlaps with infrastructure he employed for freelance legal work. Our estimates suggest his criminal operations began around March 2024. Fortinet’s June report was the first public reference to his activity.”
By mid-2024, the hacker launched another large-scale campaign. He created a counterfeit website mimicking the popular archiving software WinRAR to distribute malware via a GitHub repository. In recent weeks, researchers found he was exploiting a new zero-day vulnerability in Microsoft Management Console (CVE-2025-26633). Dubbed MSC EvilTwin, this flaw, rated at 7.0 on the CVSS scale, was used to deploy infostealers and newly discovered backdoors SilentPrism and DarkWisp.
The scale of his attacks is striking: according to cybersecurity firm PRODAFT, the hacker breached more than 618 high-value targets across various sectors over a nine-month period. Lopez notes:
“All evidence points to a lone operator. However, we cannot rule out the possibility of collaboration with other hackers. In one Telegram channel used to track infection statistics, another user with administrative privileges was identified.”
EncryptHub’s downfall was hastened by his own operational security mistakes. He occasionally infected himself due to carelessness, allowing researchers to uncover new facets of his infrastructure and tools. Throughout his work, he relied heavily on ChatGPT—not only for coding assistance but also for translating messages and emails. Remarkably, he engaged in candid conversations with the AI, at times confessing details of his illicit endeavors as if in a digital confessional.
The story of EncryptHub serves as a compelling reminder: even the most technically adept cybercriminals are not immune to basic missteps. Reused passwords, unsecured infrastructure, and the blending of personal and illicit activities ultimately led to his exposure. What comes next remains to be seen.
