A Deep Dive into Water Arsenal and Infrastructure

SUMMARY :

Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and Rhadamanthys. Their delivery methods include malicious provisioning packages, signed .msi files, and Windows MSC files. The attackers employ techniques such as LOLBins and encrypted communications to evade detection. Their infrastructure includes C&C servers for managing infected systems and exfiltrating data. The campaign highlights the group's adaptability and sophistication in cyber espionage operations.

OPENCTI LABELS :

backdoor,powershell,stealer,stealc,zero-day,rhadamanthys,c&c,msc eviltwin,cve-2025-26633,darkwisp,lolbins,encrypthub stealer,silentprism


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


A Deep Dive into Water Arsenal and Infrastructure