Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp
A suspected Russian hacking group known as Water Gamayun, also referred to as EncryptHub and LARVA-208, has been identified as the threat actor behind the zero-day exploitation of CVE-2025-26633 in Microsoft Windows. This vulnerability, also dubbed "MSC EvilTwin," enables attackers to deploy two new backdoors: SilentPrism and DarkWisp.
Exploitation of CVE-2025-26633
Water Gamayun has leveraged CVE-2025-26633, a flaw in the Microsoft Management Console (MMC) framework, to execute malware via rogue Microsoft Console (.msc) files. The attack chains involve malicious provisioning packages (.ppkg), signed Microsoft Windows Installer files (.msi), and .msc files to deliver information stealers and persistent backdoors.
Attack Techniques
According to Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim, Water Gamayun employs multiple techniques to deploy their malware, including:
Malicious provisioning packages to initiate the infection chain.
Signed .msi files masquerading as legitimate software (e.g., DingTalk, QQTalk, and VooV Meeting) that execute PowerShell-based downloaders.
Windows MSC files to execute payloads stealthily.
Use of IntelliJ runnerw.exe to execute commands and evade detection.
SilentPrism and DarkWisp Backdoors
Water Gamayun's campaign introduces two custom PowerShell backdoors:
SilentPrism – A PowerShell implant designed for remote control, persistence, and executing multiple shell commands simultaneously while employing anti-analysis techniques.
DarkWisp – A reconnaissance tool capable of exfiltrating sensitive data, maintaining persistence, and executing commands via a TCP connection on port 8080.
Once compromised, an infected machine continuously interacts with the command-and-control (C&C) server, handling commands and securely transmitting results. The malware is also capable of executing cleanup operations to remove forensic traces.
MSC EvilTwin Loader and Rhadamanthys Stealer
In addition to SilentPrism and DarkWisp, the hackers use an MSC EvilTwin loader, weaponizing CVE-2025-26633 to execute a malicious .msc file. This leads to the deployment of Rhadamanthys Stealer, a powerful information stealer capable of extracting credentials, system details, and cryptocurrency wallet recovery phrases.
Additional Malware Variants and Stealer Activity
Water Gamayun has also been linked to other stealers, including:
StealC – A commodity stealer used to collect sensitive user data.
EncryptHub Stealer Variants A, B, and C – Custom PowerShell-based malware derived from the open-source Kematian Stealer.
Lumma Stealer, Amadey, and clippers – Distributed via malicious MSI packages and binary droppers.
These stealer variants can harvest browser credentials, clipboard history, VPN session data, and Windows product keys, further expanding the attackers' reach.
Infrastructure and Remote Access Capabilities
Analysis of the hackers' infrastructure ("82.115.223[.]182") has revealed additional PowerShell scripts used to:
Download and execute AnyDesk software for remote access.
Execute Base64-encoded remote commands.
No comments:
Post a Comment