Executive Summary
A critical security feature bypass vulnerability in Microsoft Management Console (MMC), identified as CVE-2025-26633, has been weaponized in targeted attacks by Russian-aligned threat actors. This flaw, dubbed “MSC EvilTwin,” enables attackers to craft specially manipulated .msc files and provisioning packages which bypass security features in MMC, leading to malicious code execution and persistent backdoor installation. Security researchers have reported targeted campaigns using this vulnerability to deploy the SilentPrism and DarkWisp backdoors. The vulnerability has been patched by Microsoft, but exploitation in the wild remains active, making immediate updates essential for all organizations at risk.
Background on Water Gamayun & Attack Groups
Water Gamayun (also known as EncryptHub or LARVA-208) is a Russia-aligned APT group specializing in cyber-espionage and financial attacks. Their campaigns leverage the MSC EvilTwin vulnerability via social engineering and weaponized installer files (MSI, .msc) to gain persistence and exfiltrate data. Other payloads observed include Stealc and Rhadamanthys stealer. Sectors targeted are primarily telecommunications, finance, defense, and manufacturing. The attack groups abuse legitimate administrative tools and use custom Trojans for lateral movement and persistence.
Vulnerability Details
The vulnerability stems from improper neutralization of input in the MMC framework, permitting attackers with local access to bypass security features with specially crafted files. Exploit kits leveraging MSC EvilTwin can run unsigned malware and escalate privileges on compromised endpoints.
Infection Method and Attack Chain
The Water Gamayun attack leveraging CVE-2025-26633 typically follows this sequence:
- Initial Access: Delivery of spear-phishing emails or social engineering to entice victims into downloading malicious MSI or
.mscfiles disguised as legitimate software. - Exploitation: When opened, the crafted file abuses input sanitization flaws in MMC, bypassing security warnings and launching malware.
- Payload Execution: Stealthy installer drops payloads such as SilentPrism or DarkWisp, which run with administrative privileges.
- Backdoor Installation: The malware establishes persistence through malicious provisioning packages and registry changes, enabling remote attacker access.
- Persistence and Data Theft: The malware steals credentials, exfiltrates documents, and can deploy additional payloads for ransomware or network reconnaissance.
Malware Behavior and Capabilities
The backdoors and info-stealers used in these campaigns possess:
- Remote Command Execution: Full control via C2 infrastructure.
- Credential Theft: Extraction of passwords and tokens from browsers and Windows vault.
- File Exfiltration: Targeted theft of sensitive documents.
- Lateral Movement: Use of legitimate admin tools for moving across networks.
- Persistence: Registry tweaks and Scheduler jobs maintain ongoing access.
- Data Destruction/Ransomware: Double-extortion via encryption and theft.
Attack Techniques (MITRE ATT&CK Mapping)
- T1566.001: Initial delivery through malicious MSI or .msc attachments.
- T1105: Payloads and provisioning packages transferred post-exploitation.
- T1059.001: Script execution via PowerShell and WMI.
- T1053: Scheduled tasks for persistence.
- T1020: Automated exfiltration to remote C2 servers.
- T1027: Obfuscation with packed/provisioned files.
Visual: Water Gamayun Attack Flow
[Targeted Spearphishing/Provisioning Package]
-> [User Executes Malicious .msc or MSI File]
-> [MSC EvilTwin Exploit in MMC / Bypass Security Features]
-> [Payload Deployed: SilentPrism/DarkWisp Backdoor]
-> [Persistence via Registry/Scheduled Tasks]
-> [Remote Command and Control Communication]
-> [Credential Theft, Lateral Movement, Data Exfiltration]
-> [Optional Ransomware Deployment]
Indicators of Compromise (IOCs)
- File Hashes:
- SilentPrism:
4F670B4120AE913F9301... - DarkWisp:
D18AF0D6C25EFE2A8C79...
- SilentPrism:
- Malicious Filenames & Paths:
- Unusual
.mscfiles in admin directories - MSI installers masquerading as DingTalk or VooV Meeting
- Unusual
- Network Indicators:
- Unexpected outbound connections to EncryptHub and Water Gamayun C2 domains
Threat Actor Attribution
Current intelligence attributes recent exploitation of CVE-2025-26633 to Water Gamayun (EncryptHub, Larva-208). Other Russian-associated groups may participate, using similar techniques and malware families. The group’s TTPs align with financial/espionage motives and persistent targeting of critical infrastructure and enterprise networks.
Mitigation Steps
- Patch Software: Apply Microsoft updates from March–April 2025 for MMC and Windows.
- Restrict File Execution: Limit use of MMC and administrative installer files; validate sources.
- Threat Hunting:
- Monitor for creation of suspicious
.mscfiles and abnormal scheduled tasks. - Track outbound connections to known Water Gamayun/EncryptHub infrastructure.
- Monitor for creation of suspicious
- IOC Monitoring: Feed threat intelligence (ESET, Trend Micro, internal SOC) into SIEM solutions.
- User Awareness: Train staff regarding social engineering, malicious MSI/.msc files, and unusual file prompts.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.