@The DefendOps Diaries
//
A Russian threat actor, known as Water Gamayun or EncryptHub, is actively exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework, identified as CVE-2025-26633. This flaw, dubbed MSC EvilTwin, enables attackers to execute malicious code on infected Windows systems. The attackers manipulate .msc files and the MMC's Multilingual User Interface Path (MUIPath) to bypass security features and deploy various malicious payloads.
Water Gamayun employs sophisticated delivery methods, including provisioning packages, signed MSI files, and Windows MSC files. The group's arsenal includes custom backdoors like SilentPrism and DarkWisp, as well as variants of the EncryptHub Stealer, Stealc, and Rhadamanthys. These payloads are designed to maintain persistence, steal sensitive data, and exfiltrate it to command-and-control servers, using encrypted channels and anti-analysis techniques. Organizations can protect themselves through up-to-date patch management and advanced threat detection technologies.
Recommended read:
References :
- www.cybersecuritydive.com: Russian threat actor weaponized Microsoft Management Console flaw
- www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
- iHLS: A threat actor is leveraging a zero-day vulnerability in the Microsoft Management Console (MMC) to distribute malware.
- Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console.
- doublepulsar.com: Bleeping Computer reports on claims of a breach of Oracle Cloud federated SSO login servers.
- www.cybersecuritydive.com: Confirmation of patient data stolen in alleged cloud breach.
- www.healthcareitnews.com: Reports indicate Oracle Health customers received a letter about a data compromise.
- Techzine Global: Oracle acknowledged the breach related to their health tech division.
- www.cybersecuritydive.com: Security firms brace for impact of potential Oracle Cloud breach
- DataBreaches.Net: Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service
- infosec.exchange: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on.
- Risky Business Media: Risky Bulletin: Oracle's healthtech division hacked, customers extorted
- aboutdfir.com: Oracle Health breach compromises patient data at US hospitals A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. Oracle Health has not yet publicly disclosed the incident, but in private communications sent to impacted customers and from conversations with those involved, BleepingComputer confirmed […] The post appeared first on .
- techcrunch.com: Oracle under fire for its handling of separate security incidents
- techxplore.com: Oracle warns health customers of patient data breach
- The Register - Security: 1990s incident response in 2025 Two Oracle data security breaches have been reported in the past week, and the database goliath not only remains reluctant to acknowledge the disasters publicly – it may be scrubbing the web of evidence, too.…
- www.csoonline.com: Oracle’s healthcare subsidiary, Oracle Health, has suffered a data breach, potentially exposing customers’ sensitive data, the company told some of its customers.
- SiliconANGLE: Oracle denies cloud breach, while researchers point to credible indicators
- Danny Palmer: NEW: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on. Both public and employees are confused at this point, as there is little transparency. Here's a recap of what's happening.
@The DefendOps Diaries
//
EncryptHub, a group linked to RansomHub, has been identified as the actor exploiting a zero-day vulnerability in Microsoft Management Console (MMC). Tracked as CVE-2025-26633, this flaw allows attackers to bypass security features and execute malicious code on vulnerable Windows systems. The vulnerability stems from improper input sanitization within MMC, a core administrative tool. Attackers are leveraging this flaw through email and web-based attacks, delivering malicious payloads to unsuspecting users, bypassing Windows file reputation protections.
The exploit, dubbed 'MSC EvilTwin', manipulates .msc files and the Multilingual User Interface Path (MUIPath) to execute malicious payloads, maintain persistence, and steal sensitive data. Specifically, attackers create two .msc files with the same name, a clean one and a malicious counterpart. When the legitimate file is run, MMC inadvertently picks the rogue file from a directory named "en-US" and executes it, unbeknownst to the user. This sophisticated technique allows EncryptHub to deploy various malware families, including Rhadamanthys and StealC, information stealers which pose a severe risk to affected organizations.
Recommended read:
References :
- The DefendOps Diaries: Understanding the CVE-2025-26633 Vulnerability in Microsoft Management Console
- www.trendmicro.com: Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- Cyber Security News: Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code
- BleepingComputer: A threat actor known as EncryptHub has been linked to Windows zero-day attacks exploiting a Microsoft Management Console vulnerability patched this month.
- gbhackers.com: Windows MMC Framework Zero-Day Exploited to Execute Malicious Code
- www.scworld.com: Windows-targeted EncryptHub attacks involve MMC zero-day exploitation
- bsky.app: EncryptHub, an affiliate of RansomHub, was behind recent MMC zero-day patched this month by Microsoft
- The Hacker News: EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware
- Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- www.cybersecuritydive.com: A threat actor known as “EncryptHub” began exploiting the zero-day vulnerability before it was patched earlier this month.
- : Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
- Christoffer S.: (trendmicro.com) A Deep Dive into Water Gamayun's Arsenal and Infrastructure Executive Summary: This research provides a comprehensive analysis of Water Gamayun (also known as EncryptHub and Larva-208), a suspected Russian threat actor exploiting the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) in Microsoft Management Console.
- Cyber Security News: Zero-Day in Windows MMC Framework Exploited for Malicious Code Execution
- Know Your Adversary: Adversaries always need to execute commands via various command and scripting interpreters. It's a well-known behavior, so they always look for defense evasion techniques. Trend Micro releleased a on Water Gamayun , and noted an interesting technique used by the threat acrors for proxy execution.
Bill Mann@CyberInsider
//
A critical unpatched zero-day vulnerability in Microsoft Windows is being actively exploited by 11 state-sponsored threat groups for espionage, data theft, and financially motivated campaigns since 2017. The flaw, tracked as ZDI-CAN-25373, involves the use of crafted Windows Shortcut (.LNK) files to execute hidden malicious commands. This allows attackers to gain unauthorized access to systems, steal sensitive data, and potentially conduct cyber espionage activities targeting governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies across multiple countries.
The attacks leverage hidden command line arguments within the malicious .LNK files, making detection difficult by padding the arguments with whitespace characters. Nearly 1,000 .LNK file artifacts exploiting the vulnerability have been found, and linked to APT groups from China, Iran, North Korea, and Russia. In these attacks, the .LNK files act as a delivery vehicle for malware families like Lumma Stealer, GuLoader, and Remcos RAT. Microsoft considers the issue a low severity user interface misrepresentation and does not plan to release a fix.
Recommended read:
References :
- The Hacker News: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- securityaffairs.com: State-Sponsored Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft
- The DefendOps Diaries: Exploiting Windows Zero-Day Vulnerabilities: The Role of State-Sponsored Hacking Groups
- BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
- CyberInsider: Microsoft Declines to Fix Actively Exploited Windows Zero-Day Vulnerability
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Tech Monitor: A Windows shortcut vulnerability, identified as ZDI-CAN-25373, has been exploited in widespread cyber espionage campaigns.
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- www.cybersecuritydive.com: 11 nation-state groups exploit unpatched Microsoft zero-day
- www.techradar.com: An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
- Security Risk Advisors: APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- securityonline.info: A recently uncovered vulnerability, ZDI-CAN-25373, identified by the Trend Zero Day Initiative (ZDI), is at the center of the
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Sam Bent: Windows Shortcut Zero-Day Used by Nation-States
- www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Threats | CyberScoop: Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day
- Help Net Security: APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying
- securityboulevard.com: Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
Bill Mann@CyberInsider
//
Multiple state-backed hacking groups, including those from North Korea, Iran, Russia, and China, have been exploiting a Windows zero-day vulnerability since 2017 for data theft and cyber espionage. The vulnerability lies in malicious .LNK shortcut files rigged with commands to download malware, effectively hiding malicious payloads from users. Security researchers at Trend Micro's Zero Day Initiative discovered nearly 1,000 tampered .LNK files, though they believe the actual number of attacks could be much higher.
Microsoft has chosen not to address this vulnerability with a security update, classifying it as a low priority issue not meeting their bar for servicing. This decision comes despite the fact that the exploitation avenue has been used in an eight-year-long spying campaign, relying on hiding commands using megabytes of whitespace to bury the actual commands deep out of sight in the user interface. Dustin Childs of the Zero Day Initiative told *The Register* that while this is one of many bugs used by attackers, its unpatched status makes it a significant concern.
Recommended read:
References :
- CyberInsider: Microsoft has acknowledged that its latest Windows update has unintentionally uninstalled the Copilot app from some Windows 11 devices.
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- BleepingComputer: At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a new Windows vulnerability in data theft and cyber espionage zero-day attacks since 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- securityonline.info: Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks
- www.it-daily.net: Critical Windows security vulnerability discovered
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Tech Monitor: Windows shortcut exploit used as zero-day in global cyber espionage campaigns
- Security Risk Advisors: 🚩APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- www.cybersecuritydive.com: A vulnerability that allows for malicious payloads to be delivered via Windows shortcut files has not yet been addressed by Microsoft and has been under active attack for eight years.
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- Sam Bent: Microsoft Windows Zero-Day Used by Nation-States
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- Threats | CyberScoop: Trend Micro researchers discovered and reported the eight-year-old defect to Microsoft six months ago. The company hasn’t made any commitments to patch or remediate the issue.
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- www.trendmicro.com: Trend Zero Day Initiativeâ„¢ (ZDI) uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
|
|
FlagThis - #windowszeroday