do son 
A zero-day vulnerability tracked as CVE-2025-26633 is being actively exploited in the wild by a sophisticated Russian-linked threat actor known as Water Gamayun, also operating under aliases such as EncryptHub and Larva-208. Trend Research has unveiled a campaign where the attackers have crafted an innovative abuse of Windows’ Microsoft Management Console (MMC) using a technique they’ve dubbed “MSC EvilTwin.”
The report highlights the innovative approach employed by the threat actor, stating, “In this attack the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence and steal sensitive data from infected systems.” This method allows the attackers to bypass traditional security measures and gain a foothold within targeted systems.
The vulnerability, tracked as ZDI-CAN-26371, involves the manipulation of .msc files, which are used to create custom administrative tools in Windows. By exploiting the Multilingual User Interface Path (MUIPath), the attackers can trick the system into executing malicious payloads.
At the core of the exploit lies a crafty technique: creating two .msc (Microsoft Console) files with the same name. One is a clean, harmless file. The other, hidden within a language-specific directory like en-US, is the malicious counterpart. When the benign version is run, mmc.exe loads the file from the MUIPath instead—effectively swapping in the evil twin.
“When the clean .msc file is run, mmc.exe loads the malicious file instead of the original file and [executes] it,” the researchers explain.
This subtle abuse of localized resource loading is made even more insidious because the MUIPath behavior is a legitimate Windows feature designed for multilingual support.
Water Gamayun’s campaign layers multiple techniques, including:
- ExecuteShellCommand Abuse: By embedding a Shockwave Flash Object in a crafted .msc file, the attackers hijack MMC’s web-rendering capabilities to execute commands on the victim’s machine.
- Mock Trusted Directories: Slight deviations in system paths, such as “C:\Windows \System32” (note the space), trick software into treating fake directories as legitimate.
- Trojanized MSI Installers: Masquerading as software like DingTalk, the campaign uses digitally signed installers to fetch and execute the EvilTwin loader from a remote C&C server.
“The loader contains two Base64-encoded blobs called $originalConsole and $hackedConsole,” which are used to deliver and execute the malicious payload under the guise of legitimacy.
The report emphasizes the potential impact on organizations, noting that “Enterprises can be significantly impacted by such threats, as they can lead to data breaches and substantial financial loss. Various businesses, particularly those that use Microsoft’s administrative tools heavily, may be at risk of falling victim to this campaign.”
Trend Micro’s Zero Day Initiative (ZDI) collaborated with Microsoft to disclose the CVE-2025-26633 flaw and release a patch on March 11.
“By leveraging these techniques, attackers can proxy the execution of malicious payload through legitimate Windows binaries,” the report concludes.
Related Posts:
- Rhadamanthys Infostealer Exploits Microsoft Management Console
- Tax-Themed Campaign Exploits Windows MSC Files to Deliver Stealthy Backdoor
- North Korean Cyber Espionage Group Kimsuky Exploits University Website in Watering Hole Attack
- Morphisec discovered a new watering hole attack based Flash flaw on Leading Hong Kong Telecom Site
- Cybersecurity Concerns Loom Over Drinking Water Systems, Says EPA Inspector General Report
