Thursday, May 8, 2025
Homecyber securityWindows MMC Framework Zero-Day Exploited to Execute Malicious Code

Windows MMC Framework Zero-Day Exploited to Execute Malicious Code

Published on

SIEM as a Service

Follow Us on Google News

Trend Research has uncovered a sophisticated campaign by the Russian threat actor Water Gamayun, exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework.

The vulnerability, dubbed MSC EvilTwin (CVE-2025-26633), allows attackers to execute malicious code on infected machines.

The attack manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payloads, maintain persistence, and exfiltrate sensitive data from compromised systems.

- Advertisement - Google News

This technique, named MSC EvilTwin, abuses the way mmc.exe uses MUIPath to load malicious .msc files instead of legitimate ones.

Windows MMC Framework
Windows Firewall file (wf.msc)

Exploitation Techniques and Trojan Loader

Water Gamayun employs three main techniques in their attack:

  1. MSC EvilTwin (CVE-2025-26633): This method involves creating two .msc files with the same name one clean and one malicious. The malicious file is placed in an en-US directory, exploiting mmc.exe’s MUIPath feature to load and execute the malicious version.
  2. Execute shell command over MSC file web rendering: This technique leverages the ExecuteShellCommand method of the MMC from a View object, allowing command shell execution through specially crafted .msc files and a Shockwave Flash Object within an ActiveX control.
  3. Mock trusted directories method: The attackers create directories that appear similar to standard system paths by adding trailing spaces or special characters, potentially tricking applications into loading files from alternate locations.

The MSC EvilTwin loader, a trojan written in PowerShell, weaponizes these techniques to download and execute malicious payloads on compromised systems.

Windows MMC Framework
 MSC EvilTwin Loader main logic

The attack typically begins with a digitally-signed MSI file masquerading as popular Chinese software, which fetches the loader from the attacker’s command-and-control (C&C) server.

Implications and Mitigation

According to the Report, this campaign demonstrates Water Gamayun’s innovative approach to exploiting vulnerabilities within the MMC framework.

The threat actor’s arsenal includes multiple modules such as EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, and Rhadamanthys stealer.

Microsoft and Trend Zero Day Initiative’s (ZDI) bug bounty program collaborated to disclose this vulnerability and release a patch on March 11, 2025.

Trend Micro customers are protected against this threat through various security solutions, including Trend Vision One™ Network Security and TippingPoint Intrusion Prevention Filters.

As threat actors continue to refine their tactics, organizations must adopt comprehensive cybersecurity solutions to combat evolving threats.

Proactive security measures, such as those provided by Trend Vision One™, are crucial for safeguarding digital assets in the face of sophisticated attacks like those conducted by Water Gamayun.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...