CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin

Water Gamayun not only uses these techniques in this loader, but also extensively applies them in other modules to download and execute next-stage payloads or plugins from the server. By leveraging these techniques, attackers can proxy the execution of malicious payload through legitimate Windows binaries by running non-malicious files.

Conclusion

Trend Research’s investigation into this campaign demonstrates Water Gamayun’s approach to exploiting vulnerabilities within the MMC framework. By abusing a vulnerability in the MMC framework, which we have designated as MSC EvilTwin (CVE-2025-26633), this threat actor has effectively devised a method to execute malicious code on infected machines. In this installment of our two-part series, we focused on the technical aspects of the MSC EvilTwin technique and the Trojan loader used to exploit this vulnerability. This attack employs multiple innovative techniques to maintain persistence and exfiltrate sensitive data, leveraging the manipulation of .msc files and Microsoft’s MUIPath.

Our findings revealed that this campaign is actively developing, utilizing various delivery methods and custom payloads, as detailed in the modules deployed by Water Gamayun, including EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, and Rhadamanthys stealer.

Through the collaboration between Microsoft and the Trend ZDI, this zero-day attack has been disclosed and a patch has quickly been issued to address it. Enterprises need comprehensive cybersecurity solutions to combat the evolving threats exemplified by campaigns such as those conducted by Water Gamayun. With techniques that exploit vulnerabilities like MSC EvilTwin, a layered approach and advanced cybersecurity solutions are vital for safeguarding digital assets in a landscape where threat actors are continuously refining their tactics.

Proactive security with Trend Vision One™ 

Organizations can protect themselves from attacks such as those employed by Water Gamayun with Trend Vision One™ – the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend Cybertron, the industry’s first proactive cybersecurity AI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation.

Trend protections for CVE-2025-26633

The following protections have been available to Trend Micro customers: 

Trend Vision One™ – Network Security

TippingPoint Intrusion Prevention Filters

• 45359: TCP: Backdoor.Shell.DarkWisp.A Runtime Detection
• 45360: HTTP: Trojan.Shell.EncryptHubStealer.B Runtime Detection
• 45361: HTTP: Backdoor.Shell.SilentPrism.A Runtime Detection
• 45594: HTTP: Trojan.Shell.EncryptHubStealer.B Runtime Detection (Notification Request)
• 45595: HTTP: Trojan.Shell.MSCEvilTwin.A Runtime Detection (Payload – Server Response)

Trend Vision One Threat Intelligence

To stay ahead of evolving threats, Trend customers can access a range of Intelligence Reports and Threat Insights. Threat Insights helps customers stay ahead of cyber threats before they happen and better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats..

Trend Vision One Intelligence Reports App [IOC Sweeping]

• ZDI-CAN-26371 (CVE-2025-26633): Water Gamayun exploit MSC EvilTwin Zero-Day

Trend Vision One Threat Insights App

Hunting Queries 

Trend Vision One Search App

Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.   

Monitor for network connections to suspicious C&C IPs

eventId:3 AND eventSubId:204 AND (dst:”82.115.223.182″)

Look for processes (mmc.exe) executing .msc files from unusual paths

eventSubId:2 AND processFilePath:”*\mmc.exe” AND processFilePath:”*\powershell.exe” AND objectFilePath:”C:\\Windows \System32\*.msc”

More hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled.

Indicators of Compromise (IOCs)

The indicators of compromise for this entry can be found here.

Read More HERE