The advanced persistent threat (APT) group known as Water Gamayun, suspected to be of Russian origin, has been exploiting a critical zero-day vulnerability in the Microsoft Management Console (MMC) framework, dubbed “MSC EvilTwin” (CVE-2025-26633).
This sophisticated campaign involves leveraging custom payloads and advanced techniques to compromise Windows systems, steal sensitive data, and maintain persistence.
Exploitation Techniques and Payload Delivery
Water Gamayun employs a variety of delivery methods to deploy malicious payloads, including provisioning packages (.ppkg), signed Microsoft Installer (.msi) files, and specially crafted MSC files.
The threat actor utilizes living-off-the-land binaries (LOLBins), such as IntelliJ’s runnerw.exe, to proxy PowerShell command execution on infected systems.
This enables stealthy operations while bypassing conventional security mechanisms.
Among the arsenal used by Water Gamayun are backdoors like SilentPrism and DarkWisp, alongside EncryptHub Stealer variants and known malware such as Stealc and Rhadamanthys.
According to the Report, these tools facilitate data exfiltration through encrypted channels while employing anti-analysis techniques like randomized sleep intervals and virtual machine detection to evade forensic scrutiny.
The MSC EvilTwin loader represents a novel approach to malware deployment.
It creates directories mimicking legitimate system paths and utilizes Base64-encoded payloads embedded within decoy MSC files.
These files dynamically fetch PowerShell commands from attacker-controlled servers, executing them to deliver next-stage payloads.
Following execution, the loader performs cleanup operations to remove traces of its presence.
Command-and-Control Infrastructure
Water Gamayun’s campaigns are supported by an elaborate command-and-control (C&C) infrastructure.
The malware communicates with C&C servers using dual-channel strategies TCP port 8080 for reconnaissance data and HTTPS port 8081 for command execution results.
This redundancy ensures reliable communication even under network disruptions.
The DarkWisp backdoor exemplifies the group’s sophistication.
It collects detailed system profiles, including user privileges, domain memberships, and software configurations, transmitting this data securely to the C&C server.
Commands received from the server are executed using PowerShell’s Invoke-Expression cmdlet, with results exfiltrated over both TCP and HTTPS channels for redundancy.
The exploitation of CVE-2025-26633 poses significant risks to businesses due to potential data theft and operational disruptions.
Water Gamayun’s ability to dynamically control infected systems underscores the importance of robust cybersecurity measures.
Organizations are advised to implement up-to-date patch management processes and adopt advanced threat detection technologies to mitigate risks from such evolving threats.
Trend Micro has developed protections against this vulnerability through its Trend Vision One platform, offering AI-powered cybersecurity solutions that centralize risk exposure management and accelerate threat detection.
By leveraging proactive security measures, organizations can reduce ransomware risks by up to 92% and detection times by 99%.
As cyber threats continue to evolve, understanding the techniques employed by actors like Water Gamayun is crucial for maintaining secure environments and mitigating future risks.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
 group known as Water Gamayun, suspected to be of Russian origin, has been exploiting.){kind=link}