A Russian cybercriminal group, identified as Water Gamayun (also known as EncryptHub and LARVA-208), has been exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework, designated as CVE-2025-26633 or MSC EvilTwin. This vulnerability allows attackers to execute malicious code through rogue Microsoft Console (.msc) files, facilitating unauthorized control over compromised systems.
The group’s attack methods include the use of provisioning packages (.ppkg), signed Microsoft Windows Installer files (.msi), and .msc files to deploy malware. Notably, they have been delivering two new backdoors named SilentPrism and DarkWisp. SilentPrism is a PowerShell implant capable of establishing persistence, executing multiple shell commands simultaneously, and maintaining remote control while evading detection through anti-analysis techniques. DarkWisp, another PowerShell backdoor, enables system reconnaissance, data exfiltration, and persistence. It communicates with command-and-control servers via TCP connection on port 8080, awaiting encoded commands for execution.
Additionally, Water Gamayun employs the MSC EvilTwin loader to exploit CVE-2025-26633, executing malicious .msc files that lead to the deployment of information stealers like Rhadamanthys Stealer and StealC. These tools are designed to collect extensive system information, including antivirus details, installed software, network configurations, Wi-Fi passwords, Windows product keys, clipboard history, browser credentials, and session data from various applications related to messaging, VPNs, FTP, and password management. The malware also targets files associated with cryptocurrency wallets, indicating a focus on financial data theft.
The .msi installers used in these attacks often masquerade as legitimate messaging and meeting software such as DingTalk, QQTalk, and VooV Meeting. Upon execution, they initiate a PowerShell downloader to fetch and run the next-stage payload on the compromised host.
Microsoft has released patches to address CVE-2025-26633. Users and organizations are strongly advised to apply these updates promptly to mitigate the risk of exploitation. Maintaining up-to-date systems and exercising caution with unsolicited files and links are critical steps in defending against such sophisticated cyber threats.