Ethical Hacking News
Russian hackers have been spotted exploiting a recently-patched Microsoft Windows zero-day vulnerability, resulting in the deployment of malware and backdoors. According to Trend Micro researchers, the attackers are believed to be affiliated with the suspected Russian hacking group Water Gamayun. This attack highlights the ongoing threat posed by sophisticated malware campaigns and underscores the importance of staying vigilant in detecting and mitigating such attacks.
The THN has uncovered a sophisticated cyber attack exploiting a recently-patched zero-day vulnerability in Microsoft Windows. The threat actors are believed to be affiliated with the suspected Russian hacking group Water Gamayun. The attackers utilize malicious provisioning packages, signed Microsoft Windows Installer files, and Windows MSC files to deliver payloads primarily consisting of information stealers and backdoors. Delivery methods include signed .msi files masquerading as legitimate messaging and meeting software. Malware artifacts used in this attack include SilentPrism and DarkWisp, with the latter capable of system reconnaissance and persistence. The attackers also utilize MSC EvilTwin vulnerability to execute a malicious file leading to Rhadamanthys Stealer. EncryptHub Stealer variants target cryptocurrency wallets by singling out specific files and exhibiting similar functionalities with minor modifications. The threat actors employ LOLBin technique using IntelliJ process launcher to proxy remote PowerShell script execution on infected systems. AnyDesk software is used for remote access, while Base64-encoded remote commands are sent to the victim machine.
THN has uncovered a sophisticated cyber attack that exploits a recently-patched zero-day vulnerability in Microsoft Windows, leaving a trail of malware and backdoors in its wake. According to Trend Micro researchers, the threat actors behind this attack are believed to be affiliated with the suspected Russian hacking group Water Gamayun, also known as EncryptHub and LARVA-208.
The attack, which was first discovered by Trend Micro's cybersecurity team, utilizes a combination of malicious provisioning packages, signed Microsoft Windows Installer files, and Windows MSC files to deliver payloads primarily consisting of information stealers and backdoors. The threat actors have been observed deploying these payloads via a variety of delivery methods, including signed .msi files that masquerade as legitimate messaging and meeting software.
One of the primary malware artifacts being used in this attack is SilentPrism, a PowerShell implant that enables persistence on infected systems, executes multiple shell commands simultaneously, and maintains remote control. Another notable piece of malware involved in this campaign is DarkWisp, which is capable of system reconnaissance, exfiltration of sensitive data, and persistence.
The attackers have also been observed utilizing the MSC EvilTwin vulnerability to execute a malicious .msc file that ultimately leads to the deployment of the Rhadamanthys Stealer. This stealer has been found to be fully-featured malware that can collect extensive system information, including details about antivirus software, installed software, network adapters, and running applications.
Furthermore, EncryptHub Stealer variants have been discovered to target cryptocurrency wallets by specifically singling out files matching certain keywords and extensions. These variants exhibit similar functionalities and capabilities with only minor modifications distinguishing them from one another. The researchers have noted that the EncryptHub variants are modified versions of the open-source Kematian Stealer.
The threat actors' use of LOLBin (living-off-the-land binary) technique, which utilizes the IntelliJ process launcher "runnerw.exe" to proxy the execution of a remote PowerShell script on an infected system, highlights their adaptability in compromising victims' systems and data. This technique has been employed by other malicious actors in recent times.
In addition to these malware artifacts, Trend Micro researchers have observed the threat actors utilizing AnyDesk software for remote access and sending Base64-encoded remote commands to the victim machine. These findings indicate that Water Gamayun's use of various delivery methods and techniques in its campaign highlights their ability to maintain persistence, dynamically control infected systems, and obfuscate their activities.
In light of these developments, cybersecurity experts are warning organizations to exercise caution when dealing with seemingly legitimate software installations and signed .msi files. The exploitation of this zero-day vulnerability underscores the ongoing threat posed by sophisticated malware campaigns and the importance of staying vigilant in detecting and mitigating such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-Hackers-Exploit-Zero-Day-Vulnerability-to-Deploy-Malware-and-Backdoors-ehn.shtml
https://thehackernews.com/2025/03/russian-hackers-exploit-cve-2025-26633.html
https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html
https://codesanitize.com/russian-hackers-exploit-cve-2025-26633-by-way-of-msc-eviltwin-to-deploy-silentprism-and-darkwisp/
https://www.pcrisk.com/removal-guides/25643-rhadamanthys-stealer
https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
https://cybersecuritynews.com/encrypthub-a-multi-stage-malware/
https://thehackernews.com/2025/03/encrypthub-deploys-ransomware-and.html
Published: Mon Mar 31 13:11:37 2025 by llama3.2 3B Q4_K_M
