Full Report
The threat actors behind the zero-day exploitation of a recently-patched security vulnerability in Microsoft Windows have been found to deliver two new backdoors called SilentPrism and DarkWisp. The activity has been attributed to a suspected Russian hacking group called Water Gamayun, which is also known as EncryptHub and LARVA-208. "The threat actor deploys payloads primarily by means of
Analysis Summary
# Threat Actor: Water Gamayun
## Attribution & Identity
**Attribution:** Suspected Russian hacking group.
**Aliases:** EncryptHub, LARVA-208.
**Known Associations:** The name EncryptHub was derived from attention gained in late June 2024 for distributing malware (stealers, miners, ransomware) via a GitHub repository named "encrypthub" masquerading as a fake WinRAR website.
## Activity Summary
Water Gamayun has been actively exploiting a zero-day vulnerability, **CVE-2025-26633 (MSC EvilTwin)**, in the Microsoft Management Console (MMC) framework to execute malware via a rogue Microsoft Console (.msc) file. This exploitation allows for the delivery of backdoors, information stealers, and remote access tools. Campaigns involve signing legitimate-looking delivery mechanisms to deliver multi-stage payloads.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Exploitation of CVE-2025-26633 via rogue .msc files.
- **Delivery Mechanisms:** Deployment primarily via malicious **provisioning packages (.ppkg)**, **signed .msi files**, and **Windows .msc files**.
- **Masquerading:** .msi installers masquerade as legitimate messaging/meeting software (DingTalk, QQTalk, VooV Meeting).
- **Execution:** Use of an IntelliJ process launcher (**runnerw.exe**) to proxy the execution of a remote PowerShell script (LOLBin technique).
- **Staging:** Initial implants utilize a PowerShell downloader executed post-.msi installation to fetch the next-stage payload.
- **Persistence:** Established via backdoors like SilentPrism and DarkWisp.
- **Defense Evasion:** Payloads incorporate anti-analysis techniques.
- **Forensics Evasion:** The MSC EvilTwin loader performs system cleanup to avoid forensic trails.
## Targeting
**Sectors:** Not explicitly detailed, but the delivery mechanism suggests targeting corporate or end-user environments relying on productivity/collaboration software.
**Geography:** Not specified in the text.
**Victims:** Specific organizations not named, though delivery involved masquerading common communication tools.
## Tools & Infrastructure
**Malware Families Used:**
- **Backdoors:** SilentPrism (sets persistence, remote control, shell execution), DarkWisp (reconnaissance, data exfiltration).
- **Loaders:** MSC EvilTwin loader (weaponizes CVE-2025-26633).
- **Information Stealers:** Rhadamanthys Stealer, StealC, custom variants (EncryptHub Stealer variant A, B, and C—modified Kematian Stealer).
- **Other Malware Dropped:** Lumma Stealer, Amadey, clippers.
- **Remote Access:** AnyDesk software is downloaded for remote access post-infection.
**Infrastructure:**
- **C2 Communication:** DarkWisp uses TCP connection on port 8080, accepting commands in the format `COMMAND|`.
- **C2 Communication (General):** Operators send Base64-encoded remote commands.
- **IPs/Domains:** Infrastructure shifted from initial GitHub hosting to dedicated C&C infrastructure. One observed C&C IP: `82.115.223[.]182`.
## Implications
Water Gamayun is a highly adaptable and sophisticated threat actor utilizing zero-day vulnerabilities (CVE-2025-26633) and modern LOLBin techniques (runnerw.exe) to achieve deep system compromise. Their arsenal focuses heavily on persistent access and comprehensive data theft, including sensitive credentials, Wi-Fi passwords, and cryptocurrency-related recovery phrases, indicating high-value espionage or financial motivations. The use of signed MSI packages for delivery significantly increases initial trust and bypasses common security controls.
## Mitigations
- Immediately patch systems against **CVE-2025-26633**.
- Monitor for the exploitation of the Microsoft Management Console framework, specifically regarding suspicious `.msc` file execution.
- Implement strict controls over the execution of non-standard applications or scripts launched via legitimate processes like `runnerw.exe` (IntelliJ binary).
- Increase scrutiny of delivery mechanisms such as malicious provisioning packages (.ppkg) and signed Microsoft Installer files (.msi) impersonating common communication tools.
- Monitor network traffic for C&C communications on non-standard ports (e.g., TCP 8080) and anomalous command structures.
- Enforce strict application control to limit the execution of downloaded PowerShell scripts.