Water Gamayun, a Russia‑aligned advanced persistent threat (APT) group, has launched a new multi‑stage intrusion campaign that weaponizes the recently disclosed MSC EvilTwin vulnerability in Windows Microsoft Management Console (MMC).
Leveraging a blend of compromised infrastructure, social engineering, and heavily obfuscated PowerShell, the attackers exploited CVE‑2025‑26633 to inject malicious code into mmc.exe, ultimately delivering hidden payloads and final malware loaders while minimizing user suspicion.
The attack chain begins with a seemingly harmless Bing search for “belay,” which returns a result for the legitimate BELAY Solutions domain, belaysolutions[.]com.
That site was likely injected with malicious JavaScript designed to silently redirect users to a newly registered lookalike domain, belaysolutions[.]link.
There, victims were offered what appeared to be a PDF brochure: a double‑extension file named Hiring_assistant.pdf.rar, exploiting user trust in recognizable document formats.
When opened, the RAR archive drops an .msc file masquerading as a safe document asset. This file becomes the pivot point for exploiting MSC EvilTwin, transforming a routine user interaction into a foothold for a sophisticated PowerShell‑driven intrusion.
MSC EvilTwin (CVE‑2025‑26633)
The core of the operation centers on CVE‑2025‑26633, an MSC EvilTwin vulnerability in MMC’s multilingual path resolution.
When the user launches the dropped .msc, mmc.exe resolves malicious MUI paths that load a rogue snap‑in instead of the legitimate one.
Embedded TaskPad commands inside this snap‑in execute a Base64‑encoded PowerShell payload via -EncodedCommand, initiating the first hidden script stage without any visible prompts.
This abuse of a trusted Windows binary allows the attackers to proxy execution through mmc.exe, complicating behavioral detection and blending malicious activity into administrative tooling commonly found in enterprise environments.
The Stage‑1 PowerShell script downloads UnRAR.exe and a password‑protected RAR archive, extracts the following payload, introduces short delays, and then uses Invoke-Expression to run the extracted script.
This script is heavily obfuscated, using nested Base64 with UTF‑16LE encoding and underscore‑based string cleanup, a hallmark of Water Gamayun tradecraft.
Stage‑2 PowerShell compiles a minimal .NET class named WinHpXN to call the Win32 ShowWindow API, hiding console windows to minimize user awareness.
It then opens a benign‑looking decoy PDF to maintain the illusion of a normal document interaction while downloading, extracting, and executing the final loader ItunesC.exe multiple times for persistence.
Throughout these stages, password‑protected archives, strong 21‑character alphanumeric passwords, and randomized paths are used to frustrate sandboxing and static analysis.
Attribution to Water Gamayun
The final binary, iTunesC.exe, is responsible for installing backdoors or information‑stealing malware.
While the exact family could not be confirmed due to non‑responsive command‑and‑control (C2) infrastructure, Water Gamayun’s known arsenal includes backdoors such as SilentPrism and DarkWisp and stealers like EncryptHub and Rhadamanthys, any of which could feasibly be deployed in this stage.
Zscaler Threat Hunting attributed this campaign to Water Gamayun with high confidence by correlating multiple factors: rare exploitation of MSC EvilTwin (CVE‑2025‑26633), distinctive PowerShell obfuscation patterns, the use of the WinHpXN window‑hiding.
.NET stub, dual‑path infrastructure hosted on a single IP (103[.]246[.]147[.]17 with randomized prefixes like /cAKk9xnTB/ and /yyC15x4zbjbTd/), and consistent employment‑themed and consumer‑style lures such as “Hiring_assistant.pdf” and “iTunesC.”
Together, these elements reflect Water Gamayun’s broader 2025 playbook: exploiting novel vulnerabilities, abusing trusted binaries, and layering obfuscation and OPSEC to quietly harvest credentials, exfiltrate sensitive data, and maintain long‑term footholds in high‑value enterprise and government networks.
Indicators of Compromise (IoCs)
| Type | Indicator | Hash/Value |
|---|---|---|
| File Hash | Hiring_assistant.pdf.rar | MD5: ba25573c5629cbc81c717e2810ea5afc |
| File Hash | UnRAR.exe | MD5: f3d83363ea68c707021bde0870121177 |
| File Hash | as_it_1_fsdfcx.rar | MD5: 97e4a6cbe8bda4c08c868f7bcf801373 |
| File Hash | as_it_1_fsdfcx.txt | MD5: caaaef4cf9cf8e9312da1a2a090f8a2c |
| File Hash | doc.pdf | MD5: f645558e8e7d5e4f728020af6985dd3f |
| File Hash | ItunesC.rar | MD5: e4b6c675f33796b6cf4d930d7ad31f95 |
| Archive Password | k5vtzxdeDzicRCT | k5vtzxdeDzicRCT |
| Archive Password | jkN5yyC15x4zbjbTdUS3y | jkN5yyC15x4zbjbTdUS3y |
| IP Address | 103.246.147.17 | 103.246.147.17 |
| Network Path | /cAKk9xnTB/UnRAR.exe | /cAKk9xnTB/UnRAR.exe |
| Network Path | /cAKk9xnTB/as_it_1_fsdfcx.rar | /cAKk9xnTB/as_it_1_fsdfcx.rar |
| Network Path | /cAKk9xnTB/doc.pdf | /cAKk9xnTB/doc.pdf |
| Network Path | /yyC15x4zbjbTd/ItunesC.rar | /yyC15x4zbjbTd/ItunesC.rar |
| Domain | belaysolutions[.]com | Legitimate, potentially compromised |
| Domain | belaysolutions[.]link | Malicious |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.