A sophisticated campaign has emerged, orchestrated by Russian threat actors who are exploiting a critical zero-day vulnerability in the Microsoft Management Console (MMC). This vulnerability, identified as CVE-2025-26633, allows malicious actors to bypass security features and execute harmful code on targeted systems.
Trend Research has pinpointed the Russian hacking group Water Gamayun—also known as EncryptHub and Larva-208—as the primary threat actor behind this alarming campaign.
MMC Zero-Day Vulnerability Exploited
The group has ingeniously weaponized the vulnerability, referred to as “MSC EvilTwin,” to deploy a variety of malicious payloads, which include information stealers and backdoors. The recent attack takes advantage of a previously unidentified flaw within the MMC framework, a fundamental component for system administration and configuration in Windows environments, as detailed by Aliakbar Zahravi of Trend Micro.
By manipulating Microsoft Console (.msc) files and exploiting the Multilingual User Interface Path (MUIPath) feature, attackers can deceive the system into executing malicious code while masquerading as legitimate administrative tools.
Security experts caution that the ramifications of this vulnerability extend well beyond immediate code execution. Successful exploitation could facilitate lateral movement within networks, data exfiltration, and even the deployment of ransomware.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory, incorporating CVE-2025-26633 into its Known Exploited Vulnerabilities Catalog and mandating that federal agencies patch affected systems by April 1, 2025.
The gravity of the threat is further emphasized by its inclusion in Microsoft’s March 2025 Patch Tuesday update, which addressed a total of six actively exploited zero-day vulnerabilities. Chris Goettl, vice president of product management for security products at Ivanti, highlighted the critical nature of this month’s updates, stating, “While the initial appearance of the March Patch Tuesday may seem gentle, this lamb could possess the ferocity of a lion.”
Water Gamayun’s arsenal in this campaign is particularly alarming. Researchers have identified several modules associated with the attack, including:
- EncryptHub stealer
- DarkWisp backdoor
- SilentPrism backdoor
- MSC EvilTwin loader
- Stealc
- Rhadamanthys stealer
These tools empower the threat actors to maintain persistence on compromised systems and exfiltrate sensitive data to command-and-control servers.
The vulnerability poses a risk to a broad spectrum of Windows versions, with older systems such as Windows Server 2016 and earlier being particularly vulnerable due to weaker default protections. However, even modern Windows installations are not immune to this threat.
To mitigate the risk, organizations are strongly encouraged to:
- Apply the latest security patches immediately, prioritizing systems utilizing MMC for remote administration.
- Restrict network access to MMC ports and enforce network segmentation.
- Implement robust monitoring for anomalous MMC activity and unusual process creation.
- Audit MMC usage and limit administrative privileges across the network.
Microsoft recommends disabling remote MMC access for systems that cannot be patched immediately, although this may disrupt certain IT workflows.
As attackers continue to refine their tactics and target critical system components, maintaining vigilant cybersecurity practices and prompt patching remains essential for organizations and individuals alike.
Given the potential for this vulnerability to be chained with other recently disclosed flaws affecting Windows file systems and kernel components, the urgency to address these security issues cannot be overstated.
As the security community delves deeper into the full scope of the Water Gamayun campaign, users are urged to stay informed and take immediate action to safeguard their systems from this significant threat.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
