The article details the alarming activities of the Russian hacking group Water Gamayun, noted for exploiting a vulnerability in Microsoft Windows (CVE-2025-26633) to deliver new backdoors SilentPrism and DarkWisp. These malware are deployed using malicious provisioning packages and signed .msi files, disguised as legitimate software. The group has evolved its tactics, transitioning from a GitHub repository to establishing its own infrastructure for enhanced command-and-control capabilities. Their techniques also include anti-analysis methods to avoid detection while achieving persistence and data theft on compromised systems.
Water Gamayun has been linked to the active exploitation of CVE-2025-26633 (MSC EvilTwin), using rogue .msc files to deliver malware.
The threat actor deploys payloads primarily by means of malicious provisioning packages, signed .msi files, and Windows MSC files.
The SilentPrism malware can maintain remote control, execute various shell commands concurrently, and incorporate anti-analysis techniques.
The threat actors have transitioned to their own infrastructure for staging and command-and-control purposes.
Collection
[
|
...
]