Water Gamayun APT Exploits MSC EvilTwin Vulnerability

Water Gamayun, an advanced persistent threat group, has launched a new multi-stage intrusion campaign exploiting the MSC EvilTwin vulnerability in Windows MMC. The attack begins with a compromised Bing search result leading to a lookalike domain, which offers a double-extension RAR file disguised as a PDF. Opening this file triggers the exploitation of CVE-2025-26633, injecting malicious code into mmc.exe. The attack chain involves heavily obfuscated PowerShell scripts, a .NET class to hide console windows, and the final payload, iTunesC.exe, which installs backdoors or information-stealing malware. The campaign is attributed to Water Gamayun based on their distinctive PowerShell obfuscation patterns, infrastructure design, and social engineering themes.

Latest mentioned: 11-26

Earliest mentioned: 11-25

Sources

gbhackers.com securityboulevard.com

Also Read

RomCom Malware Targets Engineering Firm via SocGholish

The RomCom malware group targeted a civil engineering company using the SocGholish JavaScript loader to deliver the Mythic Agent. This marks the first observed instance of RomCom using SocGholish for distribution. The attack, attributed to a military unit, aimed at entities with ties to a specific region. The infection chain involved fake browser updates and a custom Python backdoor, highlighting the blend of cybercrime and espionage tactics.

11-26Read more →