Home windows MMC Framework Zero-Day Exploited to Execute Malicious Code

Pattern Analysis has uncovered a classy marketing campaign by the Russian risk actor Water Gamayun, exploiting a zero-day vulnerability within the Microsoft Administration Console (MMC) framework.

The vulnerability, dubbed MSC EvilTwin (CVE-2025-26633), permits attackers to execute malicious code on contaminated machines.

The assault manipulates .msc information and the Multilingual Consumer Interface Path (MUIPath) to obtain and execute malicious payloads, preserve persistence, and exfiltrate delicate information from compromised techniques.

This method, named MSC EvilTwin, abuses the way in which mmc.exe makes use of MUIPath to load malicious .msc information as an alternative of authentic ones.

Exploitation Strategies and Trojan Loader

Water Gamayun employs three fundamental methods of their assault:

1. MSC EvilTwin (CVE-2025-26633): This technique entails creating two .msc information with the identical identify one clear and one malicious. The malicious file is positioned in an en-US listing, exploiting mmc.exe’s MUIPath characteristic to load and execute the malicious model.
2. Execute shell command over MSC file internet rendering: This method leverages the ExecuteShellCommand technique of the MMC from a View object, permitting command shell execution via specifically crafted .msc information and a Shockwave Flash Object inside an ActiveX management.
3. Mock trusted directories technique: The attackers create directories that seem just like commonplace system paths by including trailing areas or particular characters, doubtlessly tricking purposes into loading information from alternate places.

The MSC EvilTwin loader, a trojan written in PowerShell, weaponizes these methods to obtain and execute malicious payloads on compromised techniques.

The assault sometimes begins with a digitally-signed MSI file masquerading as common Chinese language software program, which fetches the loader from the attacker’s command-and-control (C&C) server.

Implications and Mitigation

In accordance with the Report, this marketing campaign demonstrates Water Gamayun’s progressive strategy to exploiting vulnerabilities throughout the MMC framework.

The risk actor’s arsenal consists of a number of modules comparable to EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, and Rhadamanthys stealer.

Microsoft and Pattern Zero Day Initiative’s (ZDI) bug bounty program collaborated to reveal this vulnerability and launch a patch on March 11, 2025.

Pattern Micro clients are protected towards this risk via varied safety options, together with Pattern Imaginative and prescient One™ Community Safety and TippingPoint Intrusion Prevention Filters.

As risk actors proceed to refine their techniques, organizations should undertake complete cybersecurity options to fight evolving threats.

Proactive safety measures, comparable to these offered by Pattern Imaginative and prescient One™, are essential for safeguarding digital belongings within the face of subtle assaults like these performed by Water Gamayun.

Are you from SOC/DFIR Groups? – Analyse Malware, Phishing Incidents & get reside Entry with ANY.RUN -> Begin Now for Free.