CVE-2025-26633 “MSC EvilTwin”: The One-Click Windows Exploit That Can Lead to Data Theft, Downtime, and Ransom Demands

A new Windows weakness in Microsoft Management Console (MMC), tracked as CVE-2025-26633and nicknamed “MSC EvilTwin,” is being used by an advanced threat group Water Gamayun (also known as EncryptHub/LARVA-208 to bypass security checks and run malicious code.

Attackers send a booby-trapped .msc or installer file through a phishing email. If an employee opens it, the attacker can install backdoors, steal data, move across your network, and even launch ransomware.

• Revenue & operations: Backdoors planted through EvilTwin can take systems offline or slow them down, causing missed orders, delayed services, and overtime costs for recovery.
• Data exposure & fines: The same attack path enables credential theft and documentexfiltration, which can trigger breach notifications, regulatory penalties, and legal exposure.
• Ransom & extortion risk: The groups using this exploit often combine data theft with encryption (double extortion), raising both direct and reputational costs.
• Board visibility: This vulnerability is high severity (CVSS 7.0) and already weaponized by Russia-aligned APTs: a combination that draws regulator and board attention.

Campaigns tied to Water Gamayun (also known as EncryptHub/LARVA-208) are hitting telecom, finance, defense, and manufacturing, using social engineering to deliver the malicious files. Even if you’re outside these sectors, the technique is simple enough that copycats can adopt it quickly.

1. An employee receives a convincing email or chat link and opens a malicious .msc or installer file.
2. The file bypasses MMC security, launches malware, and installs a backdoor (examples seen: SilentPrism, DarkWisp).
3. Attackers steal credentials, spread laterally using built-in admin tools, and quietly exfiltrate data.
4. They may later deploy ransomware for maximum leverage.

1. Patch status: Have we applied Microsoft’s updates that address CVE-2025-26633 across all Windows systems, laptops, VMs, servers, and jump hosts?
2. File controls: Can we block or restrict .msc execution for non-admins and validate any admin-side use?
3. Continuous monitoring: Are we monitoring for new .msc files, unusual scheduled tasks/registry changes, and outbound connections to known attacker infrastructure? Do we have a playbook if we spot them?

1. Tightening controls vs. admin convenience: Limiting MMC or blocking .msc files may slow some admin workflows, but it reduces breach risk and recovery costs.
2. Speed vs. safety: Applying patches quickly is the best risk reducer; use staging and rollback to manage change risk while keeping momentum.
3. Selective hardening: Focus first on finance, identity, and crown-jewel apps where downtime or data loss hurts most.