A Deep Dive into Water Arsenal and Infrastructure

March 31, 2025, 10:26 a.m.

Description

Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and Rhadamanthys. Their delivery methods include malicious provisioning packages, signed .msi files, and Windows MSC files. The attackers employ techniques such as LOLBins and encrypted communications to evade detection. Their infrastructure includes C&C servers for managing infected systems and exfiltrating data. The campaign highlights the group's adaptability and sophistication in cyber espionage operations.

External References

https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
https://otx.alienvault.com/pulse/67e7cba2606bdb8acfedda1c
Tags
backdoor
powershell
rhadamanthys
zero-day
stealer
stealc
c&c
CVE-2025-26633
msc eviltwin
2025-03-29
lolbins
darkwisp
encrypthub stealer
silentprism

Date

  • Created: March 29, 2025, 10:29 a.m.
  • Published: March 29, 2025, 10:29 a.m.
  • Modified: March 31, 2025, 10:26 a.m.

Attack Patterns

  • EncryptHub Stealer
  • SilentPrism
  • DarkWisp
  • Stealc
  • Rhadamanthys
  • Water Gamayun

Additional Informations

  • Defense
  • Government
  • Russian Federation