Executive Summary

Researchers have uncovered a sophisticated campaign by the Russia-aligned APT group Water Gamayun (also known as EncryptHub) that leverages a newly identified vulnerability in the Windows Microsoft Management Console (MMC). The vulnerability, CVE-2025-26633, has been dubbed "MSC EvilTwin" and allows for arbitrary code execution through a trusted Windows process, mmc.exe. The attack chain, detailed by Zscaler's threat hunting team, involves tricking a user into opening a malicious .msc file. This file exploits the vulnerability to load a rogue component that, in turn, executes a series of obfuscated PowerShell payloads. This method of proxying execution through a legitimate system binary is a powerful defense evasion technique. The campaign's objective is believed to be the deployment of the group's signature malware, including backdoors and information stealers, for long-term espionage.

Vulnerability Details

• CVE ID: CVE-2025-26633
• Affected Software: Microsoft Windows (Microsoft Management Console - mmc.exe)
• Vulnerability Type: Code execution via multilingual path resolution flaw.

The "MSC EvilTwin" vulnerability resides in how the MMC handles path resolution for snap-in modules. By crafting a malicious .msc file, an attacker can cause mmc.exe to load a malicious snap-in from an attacker-controlled path. Because mmc.exe is a signed, trusted Microsoft binary, this action may not be flagged as suspicious by basic security tools. The malicious snap-in's TaskPad can contain embedded commands, which in this campaign are used to launch a Base64-encoded PowerShell script, kicking off the next stage of the attack while a decoy document is displayed to the user.

Threat Overview

The multi-stage attack proceeds as follows:

1. Initial Access: The user is redirected from a legitimate website to a lookalike domain and tricked into downloading a RAR archive disguised as a PDF.
2. Execution: The archive contains a malicious .msc file. When the user opens it, mmc.exe is launched, exploiting CVE-2025-26633.
3. Defense Evasion: mmc.exe loads a rogue snap-in, which executes an embedded PowerShell command. This technique is a form of signed binary proxy execution.
4. Payload Delivery: The initial PowerShell script is heavily obfuscated and runs a series of hidden stages to download and execute the final payload.

While the C2 server for the final payload was inactive during analysis, Water Gamayun is known to deploy malware such as the SilentPrism and DarkWisp backdoors, or the EncryptHub and Rhadamanthys information stealers.

Technical Analysis

This campaign showcases the actor's focus on stealth and defense evasion by living off the land and abusing trusted system components.

MITRE ATT&CK Techniques Observed:

• Initial Access: T1189 - Drive-by Compromise leading to user download of a malicious file.
• Execution: T1204.002 - Malicious File (opening the .msc file).
• Defense Evasion & Execution: T1218.014 - Signed Script Proxy Execution is the core of the attack, using mmc.exe to run malicious code. The use of PowerShell also maps to T1059.001 - PowerShell.
• Defense Evasion: T1027 - Obfuscated Files or Information is used for the Base64-encoded PowerShell payload.
• Command and Control: T1071.001 - Web Protocols would be used by the final payload to communicate with the C2 server.

Impact Assessment

The primary impact of this campaign is successful, stealthy espionage. By using a novel vulnerability and proxying execution through mmc.exe, Water Gamayun can bypass security controls and establish a persistent foothold in target networks. Once their backdoors or stealers are installed, they can exfiltrate sensitive data, intellectual property, and credentials over a long period. For affected government and enterprise networks, this can lead to significant data loss and a compromise of strategic information. The reliance on a trusted binary makes detection challenging, meaning the attackers could dwell in the network for an extended time before being discovered.

IOCs

No specific file hashes or C2 domains were provided in the source articles.

Cyber Observables for Detection

• Command Line Monitoring: Look for mmc.exe being launched with unusual file paths or from suspicious sources (e.g., from a .zip or .rar file in the user's Downloads folder).
• Process Relationships: Monitor for mmc.exe spawning child processes, especially powershell.exe. This is highly anomalous behavior for the Microsoft Management Console and a strong indicator of this attack technique.
• PowerShell Logging: Enable PowerShell Script Block Logging (Event ID 4104) to capture and analyze the content of PowerShell scripts, even if they are Base64-encoded or run in memory.

Detection & Response

• EDR Rule Creation: Configure EDR solutions to alert on the specific parent-child process relationship of mmc.exe launching powershell.exe. This is a high-fidelity detection for the MSC EvilTwin technique (D3-PA: Process Analysis).
• File Analysis: Use sandboxing technology (D3-DA: Dynamic Analysis) to analyze .msc files from suspicious sources. A sandbox can detonate the file in a safe environment and reveal the subsequent malicious PowerShell execution.
• Threat Hunting: Proactively hunt for the observables listed above. Query historical process execution logs for instances of mmc.exe spawning unexpected child processes.

Mitigation

• Patching: Apply the security update from Microsoft that addresses CVE-2025-26633 as soon as it becomes available (D3-SU: Software Update).
• Attack Surface Reduction: Block .msc files from being downloaded from the internet or received as email attachments if there is no business need for them. This can be configured at the email gateway and web proxy.
• Application Control: Use application control solutions like AppLocker to restrict the execution of PowerShell scripts. Constrained Language Mode can limit the ability of PowerShell to execute malicious commands (D3-EAL: Executable Allowlisting).
• User Training: Train users to be suspicious of unexpected file downloads, especially archives disguised as documents.