Summary: A Russian hacking group known as Water Gamayun is exploiting a Microsoft Windows vulnerability (CVE-2025-26633) to deliver the backdoors SilentPrism and DarkWisp. The group uses malicious provisioning packages and signed .msi files to execute commands and steal sensitive data. Their operations have evolved, utilizing sophisticated methods for persistence, command and control, and stealthy data exfiltration.
Affected: Microsoft Windows, Organizations using vulnerable Windows systems
Keypoints :
- Water Gamayun employs malicious provisioning packages and signed installer files to deliver payloads.
- SilentPrism and DarkWisp allow remote control and data exfiltration with anti-analysis features.
- The group has been linked to various malware, including Rhadamanthys Stealer and custom variants of EncryptHub Stealer.
- Attack methods include the use of a rogue .msc file and propagation of other malware variants.
- The threat actors adapt quickly, utilizing living-off-the-land techniques like the IntelliJ process launcher.
Source: https://thehackernews.com/2025/03/russian-hackers-exploit-cve-2025-26633.html