In This Article:
This story was originally published on Cybersecurity Dive. To receive daily news and insights, subscribe to our free daily Cybersecurity Dive newsletter.
A prolific Russian threat actor is exploiting a zero-day flaw in the Microsoft Management Console (MMC) framework to execute malicious code on targeted systems in an ongoing cyberattack campaign that puts unpatched systems at risk.
The attacks, by a group that Trend Micro tracks as Water Gamayun, uses the CVE-2025-26633 vulnerability, also known as MSC Evil Twin, to manipulate .msc files and the MCC console's Multilingual User Interface Path (MUIPath). From there the attacker, better known as EncryptHub, downloads and executes malicious payloads, maintains persistence and steals sensitive data from infected systems.
Microsoft patched MSC Evil Twin as part of its March Patch Tuesday raft of fixes on March 11. The flaw was still a zero-day when EncryptHub exploited it by executing malicious .msc files through a legitimate one, according to Trend Micro. The flaw allows an attacker to bypass a security feature in the MMC after convincing a victim to click on a malicious link or open a malicious file. The weakness stems from the console’s failure to properly sanitize user input.
In EncryptHub’s attack, two .msc files with the same name are created on the system by the Trojan loader, according to Trend Micro. "One file is clean and appears legitimate with no suspicious elements; the other is a malicious version that is dropped in the same location," Trend Micro team leader and staff researcher Aliakbar Zahravi wrote in a blog post published this week. "When the clean .msc file is run, mmc.exe loads the malicious file instead of the original file” and executes it.
The attack also abused the Multilingual User Interface Path (MUIPath) feature of the mmc.exe file. The default system language — English (United States) — has a MUIPath that is typically configured to include MUI files (.mui), which are designed to store language-specific resources for applications such as localized text, dialogs and user interface elements tailored for different languages.
"By abusing the way that mmc.exe uses MUIPath, the attacker can equip MUIPath en-US with a malicious .msc file, which cause the mmc.exe [to] load this malicious file instead of the original file and execute without the victim’s knowledge," Zahravi explained.
Payloads employed by EncryptHub in the attack vector encompass both custom and commodity payloads, including the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor and Rhadamanthys stealer.