Intel Name: Cve-2025-26633: how water gamayun weaponizes muipath using msc eviltwin
Date of Scan: March 26, 2025
Impact: High
Summary: Trend Research uncovered a campaign by the Russian threat actor Water Gamayun exploiting a zero-day in the Microsoft Management Console (CVE-2025-26633). The attack manipulates .msc files and MUIPath to execute malicious code, maintain persistence, and steal data. This threat poses significant risks to enterprises, potentially leading to data breaches and financial losses. Businesses relying on Microsoft’s administrative tools are particularly vulnerable. We have named this technique MSC EvilTwin (CVE-2025-26633) and are tracking it as ZDI-CAN-26371, also referred to as ZDI-25-150.
