CyberSecurity news

FlagThis

@The DefendOps Diaries //
A Russian threat actor, known as Water Gamayun or EncryptHub, is actively exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework, identified as CVE-2025-26633. This flaw, dubbed MSC EvilTwin, enables attackers to execute malicious code on infected Windows systems. The attackers manipulate .msc files and the MMC's Multilingual User Interface Path (MUIPath) to bypass security features and deploy various malicious payloads.

Water Gamayun employs sophisticated delivery methods, including provisioning packages, signed MSI files, and Windows MSC files. The group's arsenal includes custom backdoors like SilentPrism and DarkWisp, as well as variants of the EncryptHub Stealer, Stealc, and Rhadamanthys. These payloads are designed to maintain persistence, steal sensitive data, and exfiltrate it to command-and-control servers, using encrypted channels and anti-analysis techniques. Organizations can protect themselves through up-to-date patch management and advanced threat detection technologies.
Original img attribution: https://thedefendopsdiaries.com/_cdn/img-BfIxtksIf1pndZPvkGQgvf8O.DD7c8wMo_Z2heVnU.webp
ImgSrc: thedefendopsdia

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • www.cybersecuritydive.com: Russian threat actor weaponized Microsoft Management Console flaw
  • www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
  • iHLS: A threat actor is leveraging a zero-day vulnerability in the Microsoft Management Console (MMC) to distribute malware.
  • Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console.
  • doublepulsar.com: Bleeping Computer reports on claims of a breach of Oracle Cloud federated SSO login servers.
  • www.cybersecuritydive.com: Confirmation of patient data stolen in alleged cloud breach.
  • www.healthcareitnews.com: Reports indicate Oracle Health customers received a letter about a data compromise.
  • Techzine Global: Oracle acknowledged the breach related to their health tech division.
  • www.cybersecuritydive.com: Security firms brace for impact of potential Oracle Cloud breach
  • DataBreaches.Net: Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service
  • infosec.exchange: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on.
  • Risky Business Media: Risky Bulletin: Oracle's healthtech division hacked, customers extorted
  • aboutdfir.com: Oracle Health breach compromises patient data at US hospitals A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. Oracle Health has not yet publicly disclosed the incident, but in private communications sent to impacted customers and from conversations with those involved, BleepingComputer confirmed […] The post appeared first on .
  • techcrunch.com: Oracle under fire for its handling of separate security incidents
  • techxplore.com: Oracle warns health customers of patient data breach
  • The Register - Security: 1990s incident response in 2025 Two Oracle data security breaches have been reported in the past week, and the database goliath not only remains reluctant to acknowledge the disasters publicly – it may be scrubbing the web of evidence, too.…
  • www.csoonline.com: Oracle’s healthcare subsidiary, Oracle Health, has suffered a data breach, potentially exposing customers’ sensitive data, the company told some of its customers.
  • SiliconANGLE: Oracle denies cloud breach, while researchers point to credible indicators
  • Danny Palmer: NEW: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on. Both public and employees are confused at this point, as there is little transparency. Here's a recap of what's happening.
Classification:
  • HashTags: #ZeroDay #ThreatActor #CyberAttack
  • Company: Trend Micro
  • Target: Windows Systems
  • Attacker: EncryptHub(Water Gamayun)
  • Product: Microsoft Management Console
  • Feature: Zero-Day Exploit
  • Malware: EncryptHub
  • Type: 0Day
  • Severity: Critical