Russian threat actor weaponized Microsoft Management Console flaw

A prolific Russian threat actor is exploiting a zero-day flaw in the Microsoft Management Console (MMC) framework to execute malicious code on targeted systems in an ongoing cyberattack campaign that puts unpatched systems at risk.

The attacks, by a group that Trend Micro tracks as Water Gamayun, uses the CVE-2025-26633 vulnerability, also known as MSC Evil Twin, to manipulate .msc files and the MCC console’s Multilingual User Interface Path (MUIPath). From there the attacker, better known as EncryptHub, downloads and executes malicious payloads, maintains persistence and steals sensitive data from infected systems.

Microsoft patched MSC Evil Twin as part of its March Patch Tuesday raft of fixes on March 11. The flaw was still a zero-day when EncryptHub exploited it by executing malicious .msc files through a legitimate one, according to Trend Micro. The flaw allows an attacker to bypass a security feature in the MMC after convincing a victim to click on a malicious link or open a malicious file. The weakness stems from the console’s failure to properly sanitize user input.

In EncryptHub’s attack, two .msc files with the same name are created on the system by the Trojan loader, according to Trend Micro. “One file is clean and appears legitimate with no suspicious elements; the other is a malicious version that is dropped in the same location,” Trend Micro team leader and staff researcher Aliakbar Zahravi wrote in a blog post published this week. “When the clean .msc file is run, mmc.exe loads the malicious file instead of the original file” and executes it.

The attack also abused the Multilingual User Interface Path (MUIPath) feature of the mmc.exe file. The default system language — English (United States) — has a MUIPath that is typically configured to include MUI files (.mui), which are designed to store language-specific resources for applications such as localized text, dialogs and user interface elements tailored for different languages.

“By abusing the way that mmc.exe uses MUIPath, the attacker can equip MUIPath en-US with a malicious .msc file, which cause the mmc.exe [to] load this malicious file instead of the original file and execute without the victim’s knowledge,” Zahravi explained.

Payloads employed by EncryptHub in the attack vector encompass both custom and commodity payloads, including the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor and Rhadamanthys stealer.

Organizations at risk of cyberattack

Enterprises that heavily use Microsoft’s administrative tools are especially susceptible to these attacks, which can lead to data breaches and substantial financial loss, according to Trend Micro. The company did not respond to a request for more details on the organizations EncryptHub is targeting.

EncryptHub is believed to be the work of a single threat actor, who in addition to Water Gamayun, also goes by the name Larva-208. That threat actor first became active in late June 2024 and went on a ransomware rampage, infecting more than 600 organizations with a “highly sophisticated” and personalized spear-phishing initial attack vector, according to researchers at cyber intelligence firm Catalyst.

The attacker’s prior knowledge of the flaw gave it a significant advantage in the attack scenario to the detriment of defenders, who need to level up when it comes to finding security holes before they are exploited, noted one security expert. “It is imperative that the defensive community work with vulnerability researchers to obtain access to the awareness of these flaws before the attackers do,” Evan Dornbush, former computer network operator for the National Security Agency and security entrepreneur said via email. “Defenders cannot keep playing whack-a-mole indefinitely, and attackers keep hitting organizations where they don’t even know they are vulnerable.”

In a statement emailed to Cybersecurity Dive, a Microsoft spokesperson said: “We greatly appreciate Trend Micro Zero Day Initiative for their research and for responsibly reporting it under a coordinated vulnerability disclosure. Customers who have installed the update are already protected.” 

Editor’s note: This story has been updated to include additional details from Microsoft.