FOCUS MODE
EXTRACT IOC
Threat Research

CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin

TrendMicro
CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin
Trend Research has identified a campaign by the Russian threat actor Water Gamayun that exploits CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console framework. This allows attackers to execute malicious code, download payloads, and steal sensitive data. The attack leverages manipulated .msc files and the Multilingual User Interface Path (MUIPath) to maintain persistence on affected systems. This threat poses significant risks to businesses heavily reliant on Microsoft administrative tools. Efforts to disclose the vulnerability and release a patch were coordinated by Microsoft and Trend’s Zero Day Initiative. Affected: Microsoft Management Console, Enterprises using Microsoft tools

Keypoints :

  • Water Gamayun is a Russian threat actor exploiting a zero-day vulnerability (CVE-2025-26633) in the Microsoft Management Console.
  • The attack involves executing malicious code through manipulated .msc files using a technique called MSC EvilTwin.
  • Hackers can maintain persistence, exfiltrate sensitive data, and execute malicious payloads on infected systems.
  • Collaboration between Microsoft and Trend’s Zero Day Initiative led to swift disclosure and patching of the vulnerability.
  • The attack method leverages various techniques, including MUIPath manipulation and exploiting ActiveX controls.
  • Multiple tools and modules are utilized by Water Gamayun, including backdoors and data stealers.

MITRE Techniques :

  • Execution via External Remote Services (T1203): Utilizing .msc files with embedded malicious scripts to execute commands on the victim’s machine.
  • Command and Control (T1071): Leveraging C&C servers to exfiltrate data from compromised systems.
  • Abuse Elevation Control Mechanism (T1068): Exploiting MUIPath interaction to run malicious files unnoticed by the user.

Indicator of Compromise :

  • [MD5] D630809A33B23282C96715DC58CF522D
  • [MD5] 4c1bbfda8d480bf515a865117c6d2d42
  • [IP] 82.115.223.182
  • [Url] hxxps://82[.]115.223.182/encrypthub/ram/
  • [IoC Type] C&C Server IP 82.115.223.182

Full Story: https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html

Tags: VULNERABILITY, WINDOWS, FIREWALL, HUNT, BROWSER, HUNTING, ZERO-DAY, PAYLOAD