Ddos 
A sophisticated new cyber espionage campaign has been uncovered by Zscaler Threat Hunting, revealing how a Russia-aligned Advanced Persistent Threat (APT) group known as Water Gamayun is weaponizing a zero-day vulnerability in Windows to infiltrate high-value networks.
The attack begins innocuously—with a simple web search for business solutions—but quickly escalates into a “sophisticated exploitation of a Windows MMC vulnerability, ultimately delivering hidden PowerShell payloads and final malware loaders“.
At the heart of this campaign is the exploitation of CVE-2025-26633, dubbed “MSC EvilTwin.” This vulnerability targets the Microsoft Management Console (MMC), a core Windows administrative tool.
Water Gamayun’s technique involves injecting malicious code directly into mmc.exe. As the report details, the initial payload “exploited MSC EvilTwin (CVE-2025-26633) to inject code into mmc.exe, leveraging TaskPad snap-in commands to kick off a series of hidden PowerShell stages“. By using a trusted system binary like MMC to execute their code, the attackers can bypass many standard security detections that trust legitimate Windows processes.
The infection chain identified by Zscaler researchers reveals a highly calculated social engineering strategy designed to abuse user trust.
- The Hook: Victims searching for “BELAY” (a staffing solutions service) are silently redirected from a compromised legitimate site to a lookalike domain,
belaysolutions[.]link. - The Deception: The malicious domain hosts a file named
Hiring_assistant.pdf.rar. This “double-extension RAR payload disguised as a PDF” tricks users into believing they are downloading a harmless brochure. - The Execution: When the user opens the archive, it triggers the MSC EvilTwin exploit. This launches a hidden PowerShell script that downloads extraction tools (
UnRAR.exe) and a password-protected archive containing the next stage of malware. - The Persistence: The final stage installs a loader named
ItunesC.exe. While the specific malware family could not be confirmed due to non-responsive command-and-control servers, Water Gamayun is known to deploy backdoors like SilentPrism and DarkWisp, or stealers like Rhadamanthys.
Zscaler attributes this campaign with “high confidence” to Water Gamayun, a group specializing in supply-chain attacks and zero-day exploitation.
The group’s primary motives appear to be “strategic intelligence gathering against organizations of high commercial or geopolitical value” and “credential theft to facilitate further compromise“. This campaign highlights their high operational security (OPSEC) standards, utilizing complex obfuscation chains and layered techniques to “evade modern security stacks“.
Donate