CVE-2025-26633: How Water Gamayun Utilizes MUIPath in MSC EvilTwin Weaponization

The utilization of these methods by Water Gamayun goes beyond this loader, extending to other components where they are extensively employed to retrieve and run subsequent payloads or plugins from the server. By capitalizing on these approaches, intruders are able to delegate the execution of malevolent payload via genuine Windows executables through the running of harmless files.

Wrap-up

The examination conducted by Trend Research on this assault illustrates Water Gamayun’s strategy in capitalizing on weaknesses within the MMC framework. By exploiting a susceptibility in the MMC framework, specifically identified as MSC EvilTwin (CVE-2025-26633), this malicious actor has successfully devised a technique to execute malicious instructions on compromised systems. In the first part of this dual-article series, the focus was on the technical intricacies of the MSC EvilTwin method and the Trojan loader leveraged to exploit this vulnerability. This infiltration method employs several ingenious approaches to sustain persistence and extract sensitive information, taking advantage of the manipulation of .msc files and Microsoft’s MUIPath.

Our discoveries indicate that this campaign is in active development, making use of various distribution techniques and personalized payloads, as outlined in the modules deployed by Water Gamayun, including EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, and Rhadamanthys stealer.

With the collaborative effort between Microsoft and Trend ZDI, this zero-day attack has been divulged and a patch promptly issued to rectify it. Businesses require all-encompassing cybersecurity solutions to counter the evolving threats exemplified by campaigns like those orchestrated by Water Gamayun. In an environment where malevolent actors are constantly honing their strategies and exploiting vulnerabilities such as MSC EvilTwin, a stratified methodology and sophisticated cybersecurity solutions are imperative to safeguard digital assets.

Preventive security with Trend Vision One™ 

To shield themselves from attacks such as those initiated by Water Gamayun, organizations can turn to Trend Vision One™ – the sole AI-driven enterprise cybersecurity platform that consolidates cyber risk exposure management, security operations, and resilient layered defense. This comprehensive strategy assists in anticipating and thwarting threats, hastening proactive security outcomes across the entirety of their digital landscape. Underpinned by decades of cybersecurity prowess and Trend Cybertron, the inaugural proactive cybersecurity AI in the industry, it delivers demonstrable outcomes: a 92% reduction in ransomware risk and a 99% decrease in detection time. Security leaders have the capability to assess their security standing and demonstrate continuous enhancements to stakeholders. With Trend Vision One, they can eliminate security blind spots, concentrate on critical aspects, and elevate security into a tactical partner for innovation.

Trend protections for CVE-2025-26633

The subsequent protections have been at the disposal of Trend Micro clientele: 

Trend Vision One™ – Network Security

TippingPoint Intrusion Prevention Filters

• 45359: TCP: Backdoor.Shell.DarkWisp.A Runtime Detection
• 45360: HTTP: Trojan.Shell.EncryptHubStealer.B Runtime Detection
• 45361: HTTP: Backdoor.Shell.SilentPrism.A Runtime Detection
• 45594: HTTP: Trojan.Shell.EncryptHubStealer.B Runtime Detection (Notification Request)
• 45595: HTTP: Trojan.Shell.MSCEvilTwin.A Runtime Detection (Payload – Server Response)

Trend Vision One Threat Intelligence

In order to stay ahead of evolving threats, Trend customers can make use of an array of Intelligence Reports and Threat Insights. Threat Insights assists customers in staying ahead of potential cyber threats and better preparing for emerging threats. It offers comprehensive insights into threat actors, their malicious deeds, and the methods employed by them. By leveraging this intelligence, customers can take proactive measures to safeguard their environments, mitigate risks, and respond effectively to threats.

Trend Vision One Intelligence Reports App [IOC Sweeping]

• ZDI-CAN-26371 (CVE-2025-26633): Water Gamayun exploit MSC EvilTwin Zero-Day

Trend Vision One Threat Insights App

Hunting Queries 

Trend Vision One Search App

For Trend Vision One customers, a Search App is available to match or track the malevolent indicators discussed in this blog post with the data in their environment.   

Spotting network connections to suspicious C&C IPs

eventId:3 AND eventSubId:204 AND (dst:”82.115.223.182″)

Scanning for .msc file execution by processes (mmc.exe) from atypical locations

eventSubId:2 AND processFilePath:”*mmc.exe” AND processFilePath:”*powershell.exe” AND objectFilePath:”C:Windows System32*.msc”

Further hunting queries can be accessed by Trend Vision One clients with Threat Insights Entitlement enabled.

Indicators of Compromise (IOCs)

The indicators of compromise related to this entry are available here.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts