Trend Micro researchers uncovered a campaign by the Russian threat actor they track as Water Gamayun (aka EncryptHub and Larva-208) that exploits a recently patched zero-day flaw (CVE-2025-26633) in the Microsoft Management Console framework to execute malicious code.
The Microsoft Management Console (MMC) hosts administrative tools that help users to maintain networks, computers, services, and other system components.
The attack, named ‘MSC EvilTwin,’ leverages .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payload, maintain persistence and steal sensitive data from compromised systems.
The treat actor’s arsenal includes the following modules: the EncryptHub stealer, the DarkWisp backdoor, the SilentPrism backdoor, the MSC EvilTwin loader, and the Stealc Rhadamanthys stealer.
The attack involves three techniques to execute malicious payload on an infected system via Windows MSC files. The first, dubbed “MSC EvilTwin,” involves executing malicious .msc files through a legitimate one.
The second technique allows command shell execution through the ExecuteShellCommand method of the MMC from a View object on the victim's machine by leveraging specially crafted .msc files and a Shockwave Flash Object within an ActiveX control, which opens a web browser by default.
The third method involves creating fake directories that appear similar to standard system paths, which could lead to files being loaded from the alternate location rather than the intended system directory.
“The MSC EvilTwin loader is a trojan loader, written in PowerShell, weaponized all the techniques explained above to download and execute malicious payloads on compromised systems. During our investigation, we discovered an early version of this technique being used in April 2024,” the researchers noted.
