A Deep Dive into Water Arsenal and Infrastructure
Essential information
- Published
- 29/03/2025 10:29
- Modified
- 31/03/2025 10:26
- Tags
- 2025-03-29 CVE-2025-26633 backdoor c&c darkwisp encrypthub stealer lolbins msc eviltwin powershell rhadamanthys silentprism stealc stealer zero-day
- Related entities
- 1 intrusion sets (apt), 16 techniques (mitre), 5 malware, 3 others
Description
Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and Rhadamanthys. Their delivery methods include malicious provisioning packages, signed .msi files, and Windows MSC files. The attackers employ techniques such as LOLBins and encrypted communications to evade detection. Their infrastructure includes C&C servers for managing infected systems and exfiltrating data. The campaign highlights the group's adaptability and sophistication in cyber espionage operations.