A sophisticated multi-stage attack attributed to the Water Gamayun APT group has been analyzed. The attack begins with a compromised legitimate website redirecting to a lookalike domain, delivering a double-extension RAR payload disguised as a PDF. This payload exploits the MSC EvilTwin vulnerability (CVE-2025-26633) to inject code into mmc.exe, initiating a series of hidden PowerShell stages. The attack employs layered obfuscation, password-protected archives, and process-hiding techniques to evade detection. The campaign's attribution to Water Gamayun is based on their unique exploitation methods, signature obfuscation patterns, infrastructure design, and specific social engineering themes. The group's objectives include strategic intelligence gathering, credential theft, and long-term persistence through custom backdoors and information stealers.