CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin

    Wednesday, March 26, 2025 In: Threat Research Print

    Date: 03/26/2025

    Severity: High

    Summary

    Trend Research uncovered a campaign by the Russian threat actor Water Gamayun exploiting a zero-day in the Microsoft Management Console (CVE-2025-26633). The attack manipulates .msc files and MUIPath to execute malicious code, maintain persistence, and steal data. This threat poses significant risks to enterprises, potentially leading to data breaches and financial losses. Businesses relying on Microsoft’s administrative tools are particularly vulnerable. We have named this technique MSC EvilTwin (CVE-2025-26633) and are tracking it as ZDI-CAN-26371, also referred to as ZDI-25-150.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    fuckedserver.net

    encrypthub.net

    encrypthub.org

    Ciphercall.net

    cryptolabstudio.com

    raw.githubusercontent.com/encrypthub/steal/main/

    skorikjr.github.io/sploit/

    raw.githubusercontent.com/SkorikJR/

    IP Address :

    82.115.223.182

    Hash :

    cbb84155467087c4da2ec411463e4af379582bb742ce7009156756482868859c  

015f0fdf24a19b98447fab5fa16abf929c1cf9be33e9455ce788909dd5a8dbfe 

b1fa0ded2f0cc42a70b7a0c051f772cd6db76b15d50ec119307027e670998728

725df91a9db2e077203d78b8bef95b8cf093e7d0ee2e7a4f55a30fe200c3bf8f

db3fe436f4eeb9c20dc206af3dfdff8454460ad80ef4bab03291528e3e0754ad

b1b3d27deb35dd8c8fed75e878adae3f262475c8e8951d59e5df091562c2779b

7f8bd2d63bb95d61fcbdb22827c3a3e46655f556da769d3880c62865e6fde820 

43eab8488dce80c1086aafdf4594b1a438347e32275abeaa8b2bb14475fb3f98

1b3309c7a4c3940eff1e1ab1905641b23ea743c4f11d82107ce36fa1ec2299e9

2aeb9aeca5739ea1cb5a30d284d65e36fe18f47db9e5e504063d982b9c3bc3e9

9b830c2979cbce45573aa21d765adda76f52db254155ae49648ef5050ceaf774

4e6f35ab5eb9242335bee01d6df9b50f665043f9930a630df7e170b904f52a24

d76c25e2761210783055b43349370253d794e94ee913a2be7596b9554eacf107 

5357279bad530c3af89713aaf6befe19a22e438f22952aed46097590130551fa

413dea8ea8cb09cd3ac49531a8e0a13f767c09f78fb77856f4668377532a64ef

0943b0f328282504c2661cd56e4bd83e3b3e5a4cce89e2e5523f83a2d535a07e

f5c97f23543e904944120ef738f300049eae85c3b0bf8b86b346572f7bc6dec1 

9e9ca325f44eeff4087bb67052536ba565da18e70e5b29c79ed77c14c5548131 

94ee2227696da3049ff67592834b4b6f98186f91e6d1cd1eeec44f24b9df754b  

cedf4589428ae05d3d2dca1d1bd7fa28f6cafe54a077a6090f873053e04fd5ce

bb563180196989dcee91417aa56d6f1bfc9320b2427536c200dffcd784774906

9d2aaa8672d583af4c03c23127d6cac509799a49ff9293ed63628d5b710b7528

3761060c509b9444bdd3d0e65d7f68e39ff5c52fa87fdc59db02c1553e21e403

47e4142fa6ab10a2d7dc0423d41f9bdbb3ced0f4fae5c58b673386d11dd8c973  

6b99530953010dd8061a3a328c04c30653bba26439dd30a752262582b0d02933  

045a1cbcc99c53c092bb61d43b89a6f7308fd01d9ceaeb9a72bbf81669dcbef8  

cd301bdc07518027567a5ed242ae2075f9f0bdf73315e99d4d949280f151fefe

405d1dcdbba56bce99a308734c39ac8ca62ffb55dbd69565293a79b468e4dad1  

f381a3877028f29ec7865b505b5c85ce77d4947d387d3f30071159fa991f009a  

b3ed3f2bc5334e54ca8d6020d37da0764f123fa5717638229422bd95a028097b  

ba195a227fb76e8820d6db36cd00c89095b88faf01471fcdd9c0c7de61a63a5d

af4d26b987093be6b442e655ffdafa8e1542e80f6a47a6895aa523f2f180025c

cfafc9b2d6cbc65769074bab296c5fbacc676d298f7391a3ff787307eb1cbce0

86e4115111e88bbaf09fe73cfc8255a4aac64f7ffed4a3229bbc8d626566f0c8

cd301bdc07518027567a5ed242ae2075f9f0bdf73315e99d4d949280f151fefe

691087ec9b50022d3e23695c0b41e2927cb4c4825a1f5fd7e2f21ae3465e8973

e31ce5803bb68222eeac117614ddb92ed3c137bcf129f873d44960ab9d8bab33

b4f66a5e2876e04db93aae029049a07efed2d6dca05c89c393fe5aba03b949a7

bad43a1c8ba1dacf3daf82bc30a0673f9bc2675ea6cdedd34624ffc933b959f4

fcfb94820cb2abbe80bdb491c98ede8e6cfa294fa8faf9bea09a9b9ceae35bf3 

d639cd267b05b4cd420e4547dd7aa4d99fff2d070598de044c7cf0d1b99cd264

5f6dbe487af0fe7d1cf9beca7e31fcd804d6bdfe9a80308d7aeb3ed9abd9bba3

ab58281273e7299f86cfadc1c8235789379543339035c5b4d80becd785bad552

22bf8f6a408f59a1a9a1871b2a809851e0e4c0e75ca9ed14867f9bbdcf9363d2

0ac748baaad6017e331a8d99aae9e5449a96ba76fb7374f5d8c678ae52b7db9f

6df96984d5ba709282b6c92287262bd81f980811b58b0c03b9b421ba1e580c6b

ad95786b2402c6a2cc36a513937a10503aff74e180ea1213cbfe40ca820d3b13

969c7ee8709a519c4a4878b230d4ba7f81fb9563320b5983f8f1f95d4d215ece

20da5e4736a91eb6aa55892d1497c724fb16767da43ccf3227db5c9647bb0793

6b99530953010dd8061a3a328c04c30653bba26439dd30a752262582b0d02933

045a1cbcc99c53c092bb61d43b89a6f7308fd01d9ceaeb9a72bbf81669dcbef8

97a766db470c44347b65a0bc282582f96a47d96ed8d7946f4da33775d384033a

b7b72d141ed56c8e5a924dfa959771548883b88e84646150447f85eb97f88e62

60f5d8eadaba230b95339011daf4800f81e35ac721bf908f68ed8191388addcb

9854322760307c04aacd78f136e4d1496950811ee2f24978915d7cd322ecb36c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls :

    userdomainname like "cryptolabstudio.com" or url like "cryptolabstudio.com" or userdomainname like "fuckedserver.net" or url like "fuckedserver.net" or userdomainname like "Ciphercall.net" or url like "Ciphercall.net" or userdomainname like "encrypthub.net" or url like "encrypthub.net" or userdomainname like "encrypthub.org" or url like "encrypthub.org" or userdomainname like "raw.githubusercontent.com/encrypthub/steal/main/" or url like "raw.githubusercontent.com/encrypthub/steal/main/" or userdomainname like "skorikjr.github.io/sploit/" or url like "skorikjr.github.io/sploit/" or userdomainname like "raw.githubusercontent.com/SkorikJR/" or url like "raw.githubusercontent.com/SkorikJR/"

    IP Address :

    dstipaddress IN ("82.115.223.182") or ipaddress IN ("82.115.223.182") or publicipaddress IN ("82.115.223.182") or srcipaddress IN ("82.115.223.182")

    Hash :

    sha256hash IN ("43eab8488dce80c1086aafdf4594b1a438347e32275abeaa8b2bb14475fb3f98","cedf4589428ae05d3d2dca1d1bd7fa28f6cafe54a077a6090f873053e04fd5ce","bad43a1c8ba1dacf3daf82bc30a0673f9bc2675ea6cdedd34624ffc933b959f4","5357279bad530c3af89713aaf6befe19a22e438f22952aed46097590130551fa","413dea8ea8cb09cd3ac49531a8e0a13f767c09f78fb77856f4668377532a64ef","f5c97f23543e904944120ef738f300049eae85c3b0bf8b86b346572f7bc6dec1","0ac748baaad6017e331a8d99aae9e5449a96ba76fb7374f5d8c678ae52b7db9f","6df96984d5ba709282b6c92287262bd81f980811b58b0c03b9b421ba1e580c6b","db3fe436f4eeb9c20dc206af3dfdff8454460ad80ef4bab03291528e3e0754ad","af4d26b987093be6b442e655ffdafa8e1542e80f6a47a6895aa523f2f180025c","22bf8f6a408f59a1a9a1871b2a809851e0e4c0e75ca9ed14867f9bbdcf9363d2","cfafc9b2d6cbc65769074bab296c5fbacc676d298f7391a3ff787307eb1cbce0","3761060c509b9444bdd3d0e65d7f68e39ff5c52fa87fdc59db02c1553e21e403","60f5d8eadaba230b95339011daf4800f81e35ac721bf908f68ed8191388addcb","ba195a227fb76e8820d6db36cd00c89095b88faf01471fcdd9c0c7de61a63a5d","0943b0f328282504c2661cd56e4bd83e3b3e5a4cce89e2e5523f83a2d535a07e","1b3309c7a4c3940eff1e1ab1905641b23ea743c4f11d82107ce36fa1ec2299e9","86e4115111e88bbaf09fe73cfc8255a4aac64f7ffed4a3229bbc8d626566f0c8","e31ce5803bb68222eeac117614ddb92ed3c137bcf129f873d44960ab9d8bab33","405d1dcdbba56bce99a308734c39ac8ca62ffb55dbd69565293a79b468e4dad1","20da5e4736a91eb6aa55892d1497c724fb16767da43ccf3227db5c9647bb0793","9854322760307c04aacd78f136e4d1496950811ee2f24978915d7cd322ecb36c","725df91a9db2e077203d78b8bef95b8cf093e7d0ee2e7a4f55a30fe200c3bf8f","cd301bdc07518027567a5ed242ae2075f9f0bdf73315e99d4d949280f151fefe","fcfb94820cb2abbe80bdb491c98ede8e6cfa294fa8faf9bea09a9b9ceae35bf3","969c7ee8709a519c4a4878b230d4ba7f81fb9563320b5983f8f1f95d4d215ece","cbb84155467087c4da2ec411463e4af379582bb742ce7009156756482868859c","9d2aaa8672d583af4c03c23127d6cac509799a49ff9293ed63628d5b710b7528","b4f66a5e2876e04db93aae029049a07efed2d6dca05c89c393fe5aba03b949a7","2aeb9aeca5739ea1cb5a30d284d65e36fe18f47db9e5e504063d982b9c3bc3e9","9b830c2979cbce45573aa21d765adda76f52db254155ae49648ef5050ceaf774","bb563180196989dcee91417aa56d6f1bfc9320b2427536c200dffcd784774906","045a1cbcc99c53c092bb61d43b89a6f7308fd01d9ceaeb9a72bbf81669dcbef8","015f0fdf24a19b98447fab5fa16abf929c1cf9be33e9455ce788909dd5a8dbfe","6b99530953010dd8061a3a328c04c30653bba26439dd30a752262582b0d02933","b1fa0ded2f0cc42a70b7a0c051f772cd6db76b15d50ec119307027e670998728","b1b3d27deb35dd8c8fed75e878adae3f262475c8e8951d59e5df091562c2779b","7f8bd2d63bb95d61fcbdb22827c3a3e46655f556da769d3880c62865e6fde820","4e6f35ab5eb9242335bee01d6df9b50f665043f9930a630df7e170b904f52a24","d76c25e2761210783055b43349370253d794e94ee913a2be7596b9554eacf107","9e9ca325f44eeff4087bb67052536ba565da18e70e5b29c79ed77c14c5548131","94ee2227696da3049ff67592834b4b6f98186f91e6d1cd1eeec44f24b9df754b","47e4142fa6ab10a2d7dc0423d41f9bdbb3ced0f4fae5c58b673386d11dd8c973","f381a3877028f29ec7865b505b5c85ce77d4947d387d3f30071159fa991f009a","b3ed3f2bc5334e54ca8d6020d37da0764f123fa5717638229422bd95a028097b","cd301bdc07518027567a5ed242ae2075f9f0bdf73315e99d4d949280f151fefe","691087ec9b50022d3e23695c0b41e2927cb4c4825a1f5fd7e2f21ae3465e8973","d639cd267b05b4cd420e4547dd7aa4d99fff2d070598de044c7cf0d1b99cd264","5f6dbe487af0fe7d1cf9beca7e31fcd804d6bdfe9a80308d7aeb3ed9abd9bba3","ab58281273e7299f86cfadc1c8235789379543339035c5b4d80becd785bad552","ad95786b2402c6a2cc36a513937a10503aff74e180ea1213cbfe40ca820d3b13","97a766db470c44347b65a0bc282582f96a47d96ed8d7946f4da33775d384033a","b7b72d141ed56c8e5a924dfa959771548883b88e84646150447f85eb97f88e62")

    Reference:    

    https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html 


    Tags

    VulnerabilityCVE-2025Water GamayunExploitZDI-CAN-26371ZDI-25-150

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.