Water APT Multi-Stage Attack Uncovered

Nov. 26, 2025, 7:23 a.m.

Description

A sophisticated multi-stage attack attributed to the Water Gamayun APT group has been analyzed. The attack begins with a compromised legitimate website redirecting to a lookalike domain, delivering a double-extension RAR payload disguised as a PDF. This payload exploits the MSC EvilTwin vulnerability (CVE-2025-26633) to inject code into mmc.exe, initiating a series of hidden PowerShell stages. The attack employs layered obfuscation, password-protected archives, and process-hiding techniques to evade detection. The campaign's attribution to Water Gamayun is based on their unique exploitation methods, signature obfuscation patterns, infrastructure design, and specific social engineering themes. The group's objectives include strategic intelligence gathering, credential theft, and long-term persistence through custom backdoors and information stealers.

External References

https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack
https://otx.alienvault.com/pulse/69264d24cbe30afec1cec15f
Tags
supply-chain
obfuscation
apt
powershell
rhadamanthys
zero-day
CVE-2025-26633
msc eviltwin
encrypthub
darkwisp
silentprism
russia-aligned
2025-11-26

Date

  • Created: Nov. 26, 2025, 12:43 a.m.
  • Published: Nov. 26, 2025, 12:43 a.m.
  • Modified: Nov. 26, 2025, 7:23 a.m.

Indicators

  • e76fe4cbd4d0ec8d78bc05b03f6c159f36fd6cac26c3002373bf380b069949d8
  • b04c9facc6ebaba88a8fbbe26ce379cb3355d703899dacfe589e736ab9096659
  • 103.246.147.17
  • http://belaysolutions.link/pdf/hiring_assistant.pdf.rar
  • belaysolutions.link
Download all indicators here!

Attack Patterns

  • SilentPrism
  • EncryptHub
  • DarkWisp
  • Rhadamanthys
  • Water Gamayun

Additional Informations

  • Technology
  • Government
  • Russian Federation

Linked vulnerabilities

CVE-2025-26633

7.0
    Microsoft
  • Management Console
Published: March 11, 2025