Windows MMC Framework Zero-Day Exploited to Execute Malicious Code

Trend Research has uncovered a sophisticated campaign by the Russian threat actor Water Gamayun, exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework.

The vulnerability, dubbed MSC EvilTwin (CVE-2025-26633), allows attackers to execute malicious code on infected machines.

The attack manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payloads, maintain persistence, and exfiltrate sensitive data from compromised systems.

This technique, named MSC EvilTwin, abuses the way mmc.exe uses MUIPath to load malicious .msc files instead of legitimate ones.

Exploitation Techniques and Trojan Loader

Water Gamayun employs three main techniques in their attack:

1. MSC EvilTwin (CVE-2025-26633): This method involves creating two .msc files with the same name one clean and one malicious. The malicious file is placed in an en-US directory, exploiting mmc.exe’s MUIPath feature to load and execute the malicious version.
2. Execute shell command over MSC file web rendering: This technique leverages the ExecuteShellCommand method of the MMC from a View object, allowing command shell execution through specially crafted .msc files and a Shockwave Flash Object within an ActiveX control.
3. Mock trusted directories method: The attackers create directories that appear similar to standard system paths by adding trailing spaces or special characters, potentially tricking applications into loading files from alternate locations.

The MSC EvilTwin loader, a trojan written in PowerShell, weaponizes these techniques to download and execute malicious payloads on compromised systems.

The attack typically begins with a digitally-signed MSI file masquerading as popular Chinese software, which fetches the loader from the attacker’s command-and-control (C&C) server.

Implications and Mitigation

According to the Report, this campaign demonstrates Water Gamayun’s innovative approach to exploiting vulnerabilities within the MMC framework.

The threat actor’s arsenal includes multiple modules such as EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, and Rhadamanthys stealer.

Microsoft and Trend Zero Day Initiative’s (ZDI) bug bounty program collaborated to disclose this vulnerability and release a patch on March 11, 2025.

Trend Micro customers are protected against this threat through various security solutions, including Trend Vision One™ Network Security and TippingPoint Intrusion Prevention Filters.

As threat actors continue to refine their tactics, organizations must adopt comprehensive cybersecurity solutions to combat evolving threats.

Proactive security measures, such as those provided by Trend Vision One™, are crucial for safeguarding digital assets in the face of sophisticated attacks like those conducted by Water Gamayun.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.