Sunday, May 25, 2025
Homecyber securityWindows MMC Framework Zero-Day Exploited to Execute Malicious Code

Windows MMC Framework Zero-Day Exploited to Execute Malicious Code

Published on

SIEM as a Service

Follow Us on Google News

Trend Research has uncovered a sophisticated campaign by the Russian threat actor Water Gamayun, exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework.

The vulnerability, dubbed MSC EvilTwin (CVE-2025-26633), allows attackers to execute malicious code on infected machines.

The attack manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payloads, maintain persistence, and exfiltrate sensitive data from compromised systems.

- Advertisement - Google News

This technique, named MSC EvilTwin, abuses the way mmc.exe uses MUIPath to load malicious .msc files instead of legitimate ones.

Windows MMC Framework
Windows Firewall file (wf.msc)

Exploitation Techniques and Trojan Loader

Water Gamayun employs three main techniques in their attack:

  1. MSC EvilTwin (CVE-2025-26633): This method involves creating two .msc files with the same name one clean and one malicious. The malicious file is placed in an en-US directory, exploiting mmc.exe’s MUIPath feature to load and execute the malicious version.
  2. Execute shell command over MSC file web rendering: This technique leverages the ExecuteShellCommand method of the MMC from a View object, allowing command shell execution through specially crafted .msc files and a Shockwave Flash Object within an ActiveX control.
  3. Mock trusted directories method: The attackers create directories that appear similar to standard system paths by adding trailing spaces or special characters, potentially tricking applications into loading files from alternate locations.

The MSC EvilTwin loader, a trojan written in PowerShell, weaponizes these techniques to download and execute malicious payloads on compromised systems.

Windows MMC Framework
 MSC EvilTwin Loader main logic

The attack typically begins with a digitally-signed MSI file masquerading as popular Chinese software, which fetches the loader from the attacker’s command-and-control (C&C) server.

Implications and Mitigation

According to the Report, this campaign demonstrates Water Gamayun’s innovative approach to exploiting vulnerabilities within the MMC framework.

The threat actor’s arsenal includes multiple modules such as EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, and Rhadamanthys stealer.

Microsoft and Trend Zero Day Initiative’s (ZDI) bug bounty program collaborated to disclose this vulnerability and release a patch on March 11, 2025.

Trend Micro customers are protected against this threat through various security solutions, including Trend Vision One™ Network Security and TippingPoint Intrusion Prevention Filters.

As threat actors continue to refine their tactics, organizations must adopt comprehensive cybersecurity solutions to combat evolving threats.

Proactive security measures, such as those provided by Trend Vision One™, are crucial for safeguarding digital assets in the face of sophisticated attacks like those conducted by Water Gamayun.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...