Researchers have identified the threat actors responsible for exploiting a recently patched Microsoft Windows vulnerability, delivering two new backdoors known as SilentPrism and DarkWisp.
This activity has been linked to a suspected Russian hacking group, Water Gamayun, also known as EncryptHub and LARVA-208.
According to Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim, “the threat actor deploys payloads primarily through malicious provisioning packages, signed .msi files, and Windows MSC files, utilizing techniques like the IntelliJ runnerw.exe for command execution,” in a follow-up analysis published last week.
Water Gamayun has been associated with the active exploitation of CVE-2025-26633 (also known as MSC EvilTwin), a vulnerability in the Microsoft Management Console (MMC) framework, to execute malware via a rogue Microsoft Console (.msc) file.
The attack chains involve the use of provisioning packages (.ppkg), signed Microsoft Windows Installer files (.msi), and .msc files to deliver information stealers and backdoors capable of persistence and data theft.
EncryptHub initially gained attention in late June 2024 after using a GitHub repository named “encrypthub” to distribute various malware families, including stealers, miners, and ransomware, via a fake WinRAR website. The threat actors have since shifted to using their infrastructure for both staging and command-and-control (C&C) purposes.
The .msi installers used in the attacks disguise themselves as legitimate messaging and meeting software, such as DingTalk, QQTalk, and VooV Meeting. They are designed to execute a PowerShell downloader, which then fetches and runs the next-stage payload on a compromised host.
One such malware is a PowerShell implant called SilentPrism, capable of setting up persistence, executing multiple shell commands simultaneously, and maintaining remote control, while incorporating anti-analysis techniques to evade detection. Another notable PowerShell backdoor is DarkWisp, which enables system reconnaissance, exfiltration of sensitive data, and persistence.
According to the researchers, “once the malware exfiltrates reconnaissance and system information to the C&C server, it enters a continuous loop waiting for commands.” The malware accepts commands through a TCP connection on port 8080, where commands arrive in the format COMMAND|<base64_encoded_command>.
“The main communication loop ensures continuous interaction with the server, handling commands, maintaining connectivity, and securely transmitting results.”
The third payload dropped in the attacks is the MSC EvilTwin loader, which exploits CVE-2025-26633 to execute a malicious .msc file, ultimately leading to the deployment of the Rhadamanthys Stealer. The loader is also designed to perform a cleanup of the system to avoid leaving a forensic trail.
