Recent investigations have uncovered that a suspected Russian hacking group known as Water Gamayun, also recognized as EncryptHub or LARVA-208, is exploiting a zero-day vulnerability in Microsoft Windows. This exploitation targets organizations by deploying two new backdoor tools, SilentPrism and DarkWisp, following the patching of a significant security flaw in the system.
According to findings from Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim, the group utilizes various methods to deliver their payloads, primarily through malicious provisioning packages, signed Microsoft Installer files, and Windows MSC files. These methods often incorporate the IntelliJ runnerw.exe process for command execution, allowing the hackers to execute their malware covertly while evading detection.
The adversaries take advantage of CVE-2025-26633, a vulnerability within the Microsoft Management Console (MMC), to execute their malware through a rogue .msc file. Their attack methodology employs extensive use of provisioning packages, signed installers, and .msc files to inflict harm via information stealers and persistent backdoors.
The exploitation involves deploying PowerShell implants like SilentPrism, which not only facilitate remote command execution and persistence but also integrate anti-analysis techniques to remain undetected. Similarly, DarkWisp allows attackers access to system reconnaissance and sensitive data exfiltration. Once operational, the malware continuously communicates with the command-and-control (C2) server, accepting commands through an open TCP connection on port 8080.
Moreover, the MSC EvilTwin loader linked to these attacks also exploits CVE-2025-26633, executing malicious .msc files that lead to the installation of other malware, including the Rhadamanthys Stealer. This loader ensures a cleanup of traces to maintain operational secrecy and evade future detection.
Water Gamayun’s malware arsenal is extensive, alongside Rhadamanthys, the group is known to deploy various commodity stealers, including StealC and unique variants of EncryptHub Stealer. These bespoke stealers harvest extensive system data, including antivirus statuses, installed applications, network configurations, and sensitive credentials from various applications, specifically targeting cryptocurrency wallet recovery phrases.
The attackers’ adaptability and diverse delivery methods underline a strategic exploitation of the vulnerability’s potential, utilizing techniques aligned with the MITRE ATT&CK framework. Noteworthy tactics may include initial access via phishing methods, persistence through scheduled tasks, and data exfiltration via communication channels established by the malware.
The extensive use of sophisticated payloads reinforces the necessity for organizations to bolster their cybersecurity defenses against such adaptable threats. Understanding the techniques employed by adversary groups like Water Gamayun can aid businesses in shielding their operations from evolving cybersecurity risks.
In light of these developments, it is imperative for IT professionals and business leaders to engage in regular security assessments and utilize advanced threat detection solutions. Keeping informed about the latest vulnerabilities and attack patterns will be essential in safeguarding organizational assets against such targeted cyber threats.
