Better Security, Together

Researchers have uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework, named MSC EvilTwin (CVE-2025-26633, CVSS 7.0). This attack manipulates .msc files and the Multilingual User Interface Path (MUIPath) to download and execute malicious payloads, maintain persistence, and steal sensitive data from infected systems. Organizations that heavily use Microsoft’s administrative tools are particularly at risk, potentially facing data breaches and significant financial losses.

The attack leverages three main techniques to execute malicious code. First, the MSC EvilTwin technique creates two identical .msc files—one clean and one malicious—with the malicious version placed in an en-US directory. When the clean file is executed, the system loads the malicious version instead due to how mmc.exe handles MUIPath. Second, attackers use the ExecuteShellCommand method within MMC to run shell commands through web rendering in MSC files. Third, they create mock trusted directories with names similar to legitimate system paths but with added spaces or special characters to bypass security checks. The attack begins with digitally-signed MSI files disguised as popular Chinese software that fetch the MSC EvilTwin loader from command-and-control servers. This loader then creates deceptive directories and executes the non-malicious version of WmiMgmt.msc, triggering the EvilTwin technique.

The Water Gamayun arsenal includes multiple modules such as the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, and Rhadamanthys stealer. These components work together to maintain persistence and exfiltrate sensitive data to the attackers’ servers. The vulnerability was disclosed through a bug bounty program, and a patch was released on March 11, 2025. This campaign demonstrates how threat actors continue to refine their tactics by exploiting vulnerabilities in legitimate Windows components, allowing them to proxy malicious code execution through trusted system binaries.

A sophisticated and long-running phishing operation, tracked as Morphing Meerkat, has been observed distributing large-scale phishing campaigns through a phishing-as-a-service (PhaaS) platform. The threat actor sends thousands of spoofed emails that lead to credential harvesting pages tailored to each victim’s email provider. The campaign employs advanced detection evasion techniques and abuses DNS infrastructure to dynamically generate targeted phishing content. This campaign shows signs of centralized management and ongoing development.

Technically, Morphing Meerkat’s phishing kits identify a victim’s email service provider by querying DNS mail exchange (MX) records using DNS over HTTPS (DoH). Based on the MX record, the kit dynamically serves a phishing template imitating the appropriate brand (e.g., Gmail, Outlook, Yahoo). The phishing pages can display in over a dozen languages and automatically pre-fill the victim’s email address. Additional layers of evasion include redirecting suspicious users to legitimate login pages and blocking browser interactions like right-clicking or viewing source code.

The spam emails often leverage open redirect vulnerabilities on adtech infrastructure or are delivered through compromised WordPress sites and free hosting services. Links typically contain fragment identifiers with the victim’s email address to personalize the phishing flow. Once credentials are collected, they are exfiltrated using multiple channels including EmailJS, Telegram bot APIs, or AJAX to actor-controlled endpoints. The kits are heavily obfuscated, using Base64, ASCII character conversion, and decoy code to hinder analysis.