The menace actors behind the zero-day exploitation of a recently-patched safety vulnerability in Microsoft Home windows have been discovered to ship two new backdoors known as SilentPrism and DarkWisp.
The exercise has been attributed to a suspected Russian hacking group known as Water Gamayunwhich is also referred to as EncryptHub and LARVA-208.
“The menace actor deploys payloads primarily by way of malicious provisioning packages, signed .msi information, and Home windows MSC information, utilizing methods just like the IntelliJ runnerw.exe for command execution,” Development Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim stated in a follow-up evaluation revealed final week.
Water Gamayun has been linked to the lively exploitation of CVE-2025-26633 (aka MSC EvilTwin), a vulnerability within the Microsoft Administration Console (MMC) framework, to execute malware by way of a rogue Microsoft Console (.msc) file.
The assault chains contain the usage of provisioning packages (.ppkg), signed Microsoft Home windows Installer information (.msi), and .msc information to ship info stealers and backdoors which can be able to persistence and knowledge theft.
EncryptHub gained consideration in direction of the top of June 2024, after having used a GitHub repository named “encrypthub” to push varied sorts of malware households, together with stealers, miners, and ransomware, by way of a pretend WinRAR web site. The menace actors have since transitioned to their infrastructure for each staging and command-and-control (C&C) functions.
The .msi installers used within the assaults masquerade as official messaging and assembly software program equivalent to DingTalk, QQTalk, and VooV Assembly. They’re designed to execute a PowerShell downloader, which is then used to fetch and run the next-stage payload on a compromised host.
One such malware is a PowerShell implant dubbed SilentPrism that may arrange persistence, execute a number of shell instructions concurrently, and keep distant management, whereas additionally incorporating anti-analysis methods to evade detection. One other PowerShell backdoor of be aware is DarkWisp, which allows system reconnaissance, exfiltration of delicate knowledge, and persistence.
“As soon as the malware exfiltrates reconnaissance and system info to the C&C server, it enters a steady loop ready for instructions,” the researchers stated. “The malware accepts instructions via a TCP connection on port 8080, the place instructions arrive within the format COMMAND|
“The primary communication loop ensures steady interplay with the server, dealing with instructions, sustaining connectivity, and securely transmitting outcomes.”
The third payload dropped within the assaults is the MSC EvilTwin loader that weaponizes CVE-2025-26633 to execute a malicious .msc file, in the end resulting in the deployment of the Rhadamanthys Stealer. The loader can be designed to carry out a cleanup of the system to keep away from leaving a forensic path.
Rhadamanthys is much from the one stealer in Water Gamayun’s arsenal, for it has been noticed delivering one other commodity stealer known as StealC, in addition to three customized PowerShell variants known as EncryptHub Stealer variant A, variant B, and variant C.
The bespoke stealer is fully-featured malware that may acquire in depth system info, together with particulars about antivirus software program, put in software program, community adapters, and operating functions. It additionally extracts Wi-Fi passwords, Home windows product keys, clipboard historical past, browser credentials, and session knowledge from varied apps associated to messaging, VPN, FTP, and password administration.
Moreover, it particularly singles out information matching sure key phrases and extensions, indicating a give attention to gathering restoration phrases related to cryptocurrency wallets.
“These variants exhibit comparable functionalities and capabilities, with solely minor modifications distinguishing them,” the researchers famous. “All EncryptHub variants coated on this analysis are modified variations of the open-source Stealer’s dying.”
One iteration of EncryptHub Stealer is noteworthy for the usage of a brand new living-off-the-land binary (LOLBin) method wherein the IntelliJ course of launcher “runnerw.exe” is used to proxy the execution of a distant PowerShell script on an contaminated system.
The stealer artifacts, distributed via malicious MSI packages or binary malware droppers, have additionally been discovered to propagate different malware households like Lumma Stealer, Amadey, and clippers.
Additional evaluation of the menace actor’s C&C infrastructure (“82.115.223[.]182”) has revealed the usage of different PowerShell scripts to obtain and execute AnyDesk software program for distant entry and the flexibility of the operators to ship Base64-encoded distant instructions to the sufferer machine.
“Water Gamayun’s use of assorted supply strategies and methods in its marketing campaign, equivalent to provisioning malicious payloads via signed Microsoft Installer information and leveraging LOLBins, highlights their adaptability in compromising victims’ methods and knowledge,” Development Micro stated.
“Their intricately designed payloads and C&C infrastructure allow the menace actor to keep up persistence, dynamically management contaminated methods, and obfuscate their actions.”
#Russian #Hackers #Exploit #CVE202526633 #MSC #EvilTwin #Deploy #SilentPrism #DarkWisp