Home > Cyber News > CVE-2025-26633: MSC EvilTwin Zero-Day Exploited by Water Gamayun
CYBER NEWS

CVE-2025-26633: MSC EvilTwin Zero-Day Exploited by Water Gamayun

In early 2025, cybersecurity researchers uncovered a zero-day vulnerability in Microsoft’s Management Console (MMC), tracked as CVE-2025-26633 and nicknamed MSC EvilTwin. This critical flaw is being actively exploited by a threat group dubbed Water Gamayun and represents a dangerous vector for remote code execution on Windows systems.

Summary of CVE-2025-26633 MSC EvilTwin Vulnerability

What Is MSC EvilTwin (CVE-2025-26633)?

The CVE-2025-26633 vulnerability stems from how MMC loads localized resources (.msc files) via the MUIPath environment. Attackers can craft a malicious console file and place it within an en-US subdirectory, allowing it to override a legitimate one when executed. The exploit enables adversaries to load DLLs and execute shell commands without user interaction, bypassing traditional security controls.

CVE-2025-26633 Technical Details

  • Vulnerability type: Local privilege escalation and remote code execution
  • Attack vector: Malicious .msc files leveraging MUIPath
  • Affected systems: Windows 10, 11, and Windows Server variants running vulnerable versions of MMC
  • Discovered by: Trend Micro and community researchers




How the MSC EvilTwin Exploit Works

The core of the exploit lies in tricking MMC into prioritizing a malicious console file. This is achieved by planting two identically named .msc files:

  1. A decoy (benign) console file in the expected directory
  2. A malicious counterpart in the localized en-US folder

When executed, MMC loads the localized malicious file via its search path behavior, allowing the embedded ExecuteShellCommand method to run shell commands, essentially handing over control to the attacker.

Exploitation Flow

  1. User opens a legitimate-looking .msc file
  2. MMC searches en-US and loads the attacker’s payload
  3. Malicious ExecuteShellCommand launches PowerShell or cmd scripts
  4. Payloads are dropped and executed silently

Payloads Delivered via CVE-2025-26633

Trend Micro researchers observed that Water Gamayun used the MSC EvilTwin technique to deliver a variety of malware strains:

EncryptHub Stealer

This modular info-stealer captures browser credentials, system metadata, clipboard content, and cryptocurrency wallet data. It uploads stolen assets to attacker-controlled infrastructure via HTTP POST requests.

DarkWisp Backdoor

A sophisticated backdoor offering full shell access, file transfer, and persistence mechanisms. It communicates with a command-and-control (C2) server using TLS-encrypted traffic.

SilentPrism Implant

This stealthy implant evades detection by using legitimate Windows services. It’s primarily used for lateral movement and data exfiltration.

Rhadamanthys Stealer

A commercial infostealer-as-a-service (IaaS) solution found in underground forums. It targets FTP credentials, chat clients, and banking applications.

Water Gamayun: Threat Actor Behind the Exploitation

Water Gamayun is a suspected Eastern European threat group known for leveraging living-off-the-land binaries (LOLBins), exploiting Windows internals, and deploying custom malware via phishing and malvertising campaigns. They’ve shown a pattern of using zero-day exploits for initial access, followed by modular payloads for data theft and espionage.




Attack Infrastructure

The group operates using a rapidly shifting network of dynamic DNS domains, cloud hosting providers, and legitimate web services like GitHub and Dropbox to host payloads and exfiltrate data. Their infrastructure was tied to earlier campaigns targeting financial and energy sectors in North America and Europe.

Mitigation and Defensive Recommendations

1. Apply Microsoft Patches

Microsoft has released an emergency patch for CVE-2025-26633. Organizations should apply the patch immediately via Windows Update or MSRC.

2. Disable Console File Execution Where Possible

Restrict .msc file execution to trusted administrators. Use AppLocker or Windows Defender Application Control (WDAC) to block unknown .msc files.

3. Monitor for Indicators of Compromise (IOCs)

Look for unusual shell activity, registry key changes, and file execution from localized folders (e.g., C:\Windows\System32\en-US\).

4. User Awareness Training

Educate employees about phishing emails, suspicious attachments, and the risks of opening unknown console files.

5. Endpoint Detection & Response (EDR)

Use advanced EDR tools to detect exploitation behavior such as shell spawning from MMC or unsigned DLL loading.

Conclusive Thoughts

The exploitation of CVE-2025-26633 is proves that attackers are increasingly adept at weaponizing overlooked system functionalities to bypass traditional defenses. By abusing a relatively obscure component like MMC’s MUIPath, the Water Gamayun threat group has demonstrated not only technical sophistication but a strategic understanding of Windows internals that many defenders underestimate.

What makes this exploit particularly insidious is its stealth. The use of localized folders, seemingly benign .msc files, and native execution methods allows payloads to fly under the radar of many endpoint security solutions. Combined with the modular nature of the payloads, ranging from info-stealers to backdoors, the threat becomes multifaceted, persistent, and capable of deep infiltration across enterprise environments.

From a strategic perspective, CVE-2025-26633 exemplifies a broader trend in modern cyberattacks: the transition from brute-force tactics to precision abuse of trusted system behaviors. In response to this transition, defenders should focus on improving behavioral detection, zero trust architectures, and sophisticated threat hunting.

Ultimately, the lesson here is clear: vulnerabilities don’t always reside in new code or third-party apps. They often lie dormant in the very tools and processes organizations have used for decades. Recognizing and addressing this blind spot will be critical in defending against tomorrow’s threats.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree