The Reveal Platform
Intel Name: Discovers and reconstructs a sophisticated water gamayun apt group attack
Date of Scan: December 1, 2025
Impact: High
Summary: A compromised site and a lookalike domain worked together to deliver a double-extension RAR file masquerading as a PDF. The payload abused MSC EvilTwin (CVE-2025-26633) to inject code into mmc.exe and trigger hidden PowerShell stages via TaskPad commands. Layered obfuscation, a breached website, and password-protected archives reduced user visibility. A small .NET class hid malicious processes while a decoy document maintained a sense of normal interaction.The campaign’s methods strongly align with Water Gamayun, based on their known MSC EvilTwin exploitation and obfuscation traits. Dual-path infrastructure, window-hiding techniques, and specific social-engineering themes further support this attribution.
