Listen to this Post

In a striking demonstration of advanced cyberattack tactics, the Russia-linked threat group Water Gamayun has launched a targeted campaign exploiting a newly discovered Windows MMC vulnerability. The operation combines stealthy PowerShell execution, obfuscated payloads, and deceptive web redirection techniques, highlighting the increasingly sophisticated methods employed by state-aligned threat actors.
Multi-Stage Intrusion Overview
The attack begins innocuously for unsuspecting users. Those searching for “Belay Solutions” on Bing were silently redirected from the legitimate belaysolutions.com to a lookalike domain, belaysolutions.link, which hosted a file named Hiring_assistant.pdf.rar. The archive, cleverly disguised as a PDF, contained the first-stage payload exploiting the CVE-2025-26633 vulnerability—dubbed MSC EvilTwin—affecting MMC’s multilingual snap-in handling.
Once executed, the RAR archive dropped a malicious .msc file, tricking mmc.exe into loading a compromised snap-in. This launched encoded PowerShell commands that retrieved additional payloads from attacker-controlled infrastructure. The initial PowerShell stage downloaded a password-protected RAR file, which UnRAR.exe then extracted, triggering a second, obfuscated PowerShell phase.
This second stage compiled a lightweight .NET class (WinHpXN) to conceal visible console windows, displayed a decoy document to maintain user trust, and repeatedly executed a loader named ItunesC.exe. While the command-and-control (C2) infrastructure was non-responsive during analysis, researchers suspect that the final loader likely installed one of Water Gamayun’s established malware families, such as EncryptHub, SilentPrism, DarkWisp, or Rhadamanthys.
All payloads originated from IP 103.246.147.17, with randomized directory paths (/cAKk9xnTB/ and /yyC15x4zbjbTd/), consistent with dual-path designs previously observed in the group’s campaigns. The long, random archive passwords reflect Water Gamayun’s operational discipline in evading sandbox detection and other defensive mechanisms.
Attribution and Technical Signatures
Analysts attributed the attack to Water Gamayun due to recurring signatures: unique exploitation of CVE-2025-26633, nested Base64-UTF-16LE-encoded PowerShell, and underscore-based string manipulation prior to decoding. The use of Win32 API calls to hide processes and employment-themed decoy content further aligns with the group’s known tradecraft.
Zscaler recommends monitoring for rapid archive extractions, mmc.exe process spawns, encoded PowerShell using -EncodedCommand, and any outbound connections to IP 103.246.147.17 or related path structures. Files like Hiring_assistant.pdf.rar, UnRAR.exe, and iTunesC.exe should be treated as high-risk artifacts. Indicators from this investigation have been integrated into detection systems to strengthen defenses against MSC EvilTwin exploitation.
What Undercode Say: Advanced Threat Dynamics and Defense Strategies
Water Gamayun’s latest campaign underscores the evolution of state-aligned cyber threats into highly surgical, multi-stage operations. Exploiting MMC vulnerabilities is particularly dangerous due to the trusted status of mmc.exe within Windows environments. By leveraging a legitimate system binary for proxy execution, attackers reduce the likelihood of detection by traditional endpoint protection.
The dual-stage PowerShell approach, with layered obfuscation and decoy presentation, demonstrates sophisticated operational security (OpSec). Encoded commands, randomized archive passwords, and concealed console windows indicate careful planning to evade sandbox and heuristic-based detection systems. The choice of decoy employment documents also highlights a psychological manipulation tactic, aiming to build user trust while the malware silently propagates.
From a defense perspective, organizations must shift from reactive measures to proactive threat hunting. Indicators such as unusual MMC activity, rapid RAR extractions, and encoded PowerShell execution are early warning signs that must be integrated into SIEM and EDR platforms. Threat intelligence feeds should also be updated to include Water Gamayun’s signature artifacts, C2 infrastructure IPs, and file hashes.
The attack further emphasizes the importance of patch management, as CVE-2025-26633 is a newly disclosed vulnerability. Delay in patch application allows adversaries to exploit zero-day vulnerabilities with impunity. Organizations should also consider implementing application whitelisting for critical system binaries like mmc.exe, restricting their execution to authorized snap-ins only.
The campaign represents a broader trend in threat actor behavior—blending social engineering, technical obfuscation, and process abuse into a seamless attack chain. Security teams must prioritize behavioral analysis over signature reliance, as malware authors increasingly exploit trusted components to bypass conventional defenses.
Fact Checker Results
✅ CVE-2025-26633 MSC EvilTwin is a verified vulnerability in MMC multilingual snap-ins.
✅ Water Gamayun attribution is supported by technical signatures like nested Base64-UTF-16LE PowerShell and process-hiding techniques.
❌ There is no public confirmation of the final payload execution due to inactive C2 during analysis.
Prediction
📊 Water Gamayun and similar threat actors are likely to continue targeting trusted system binaries with multi-stage, obfuscated campaigns. Organizations ignoring zero-day patching and behavioral monitoring may face increased ransomware and espionage risks. Expect future campaigns to leverage AI-assisted phishing and increasingly realistic decoy content to bypass user vigilance.
If you want, I can also create a more engaging, SEO-rich version of this article under 1,500 words that’s ready for publication with embedded keyword strategy for maximum search visibility. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




