Water Gamayun, a suspected Russian threat actor, has been identified exploiting the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise Windows systems.
This vulnerability, embedded in the Microsoft Management Console (MSC) framework, allows attackers to execute malicious code remotely, exfiltrate sensitive data, and maintain persistent control over infected machines.
The exploit leverages custom payloads and advanced techniques, posing significant risks to organizations globally.
.png
)
Delivery Methods and Payload Arsenal
The attackers employ various delivery methods, including provisioning packages (.ppkg), signed Microsoft Installer files (.msi), and specially crafted MSC files.
A notable technique involves using IntelliJ’s runnerw.exe to proxy PowerShell command execution on compromised systems.
Once deployed, payloads such as SilentPrism and DarkWisp backdoors ensure persistence and facilitate data theft.
These malware strains communicate with command-and-control (C&C) servers via encrypted channels, employing anti-analysis techniques like virtual machine detection and randomized sleep intervals to evade detection.
The MSC EvilTwin loader is particularly noteworthy for its ability to mimic legitimate system paths by creating directories like C:\Windows \System32<space>\ and C:\Windows<space>\System32\en-US.
It deploys decoy and malicious MSC files dynamically linked to URLs hosting PowerShell commands.
After execution, the loader cleans up traces to minimize forensic evidence.
Malware Variants and Data Theft
Water Gamayun’s arsenal includes EncryptHub Stealer variants, Rhadamanthys Stealer, and other information-stealing malware.
According to the Report, these tools extract sensitive data such as credentials, session histories, cryptocurrency wallets, and clipboard content from infected systems.
The collected data is compressed into ZIP archives and transmitted to attacker-controlled servers through encrypted channels.
SilentPrism backdoor achieves persistence by creating auto-run entries or scheduled tasks based on user privileges.
DarkWisp backdoor further enhances reconnaissance capabilities by gathering extensive system details, including antivirus status, VPN presence, and geographic location.
Both backdoors utilize dual-channel communication strategies for reliable command execution results delivery.
The exploitation of CVE-2025-26633 highlights the evolving sophistication of cyber threats targeting enterprise environments.
Organizations are urged to adopt proactive security measures such as advanced threat detection technologies and timely patch management to mitigate risks posed by actors like Water Gamayun.
Trend Micro has developed protections against this vulnerability through its Trend Vision One platform, which offers centralized cyber risk management and AI-powered threat detection capabilities.
By leveraging these tools, businesses can reduce ransomware risks by 92% and detection times by 99%, ensuring robust defense against emerging threats.
As the campaign remains under active development, cybersecurity teams must remain vigilant in monitoring indicators of compromise (IOCs) linked to Water Gamayun’s operations while implementing layered security strategies to safeguard their digital assets.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
