{ "type": "Domain", "indicator": "cryptolabstudio.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cryptolabstudio.com", "alexa": "http://www.alexa.com/siteinfo/cryptolabstudio.com", "indicator": "cryptolabstudio.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4025856312, "indicator": "cryptolabstudio.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "67e7cba2606bdb8acfedda1c", "name": "A Deep Dive into Water Arsenal and Infrastructure", "description": "Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and Rhadamanthys. Their delivery methods include malicious provisioning packages, signed .msi files, and Windows MSC files. The attackers employ techniques such as LOLBins and encrypted communications to evade detection. Their infrastructure includes C&C servers for managing infected systems and exfiltrating data. The campaign highlights the group's adaptability and sophistication in cyber espionage operations.", "modified": "2025-04-28T10:06:12.559000", "created": "2025-03-29T10:29:54.426000", "tags": [ "zero-day", "backdoor", "c&c", "stealc", "cve-2025-26633", "darkwisp", "lolbins", "stealer", "rhadamanthys", "encrypthub stealer", "powershell", "silentprism", "msc eviltwin" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "EncryptHub Stealer", "display_name": "EncryptHub Stealer", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 62, "FileHash-SHA1": 62, "FileHash-SHA256": 108, "hostname": 1, "CVE": 1, "URL": 3 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 386612, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e31bb008959a0b0a250d43", "name": "CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin", "description": "Trend Research uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework to execute malicious code, named MSC EvilTwin (CVE-2025-26633).", "modified": "2025-04-24T15:04:04.010000", "created": "2025-03-25T21:10:08.643000", "tags": [ "disease vector", "sha256", "msc eviltwin", "water gamayun", "trojanspy", "zero-day", "Windows", "EncryptHub", "CVE-2025-26633", "backdoor", "github", "infostealer" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [], "malware_families": [ { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "EncryptHub", "display_name": "EncryptHub", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null } ], "attack_ids": [ { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [], "TLP": "white", "cloned_from": "67e2c585ecb08a99a52c35ae", "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 52, "domain": 4 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 386610, "modified_text": "402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ebb383c09e67bf08f536e4", "name": "A Deep Dive into Water Gamayun\u2019s Arsenal and Infrastructure", "description": "Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.", "modified": "2025-05-01T09:02:21.300000", "created": "2025-04-01T09:36:03.598000", "tags": [ "sha256", "detection", "filename", "dive", "water gamayun", "arsenal", "infrastructure", "files", "backdoor", "msc eviltwin", "silentprism", "darkwisp", "encrypthub", "a", "c", "trojanspy" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "EncryptHub", "display_name": "EncryptHub", "target": null }, { "id": "A", "display_name": "A", "target": null }, { "id": "C", "display_name": "C", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 55, "FileHash-SHA1": 55, "FileHash-SHA256": 105, "hostname": 1 }, "indicator_count": 224, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67eb5c27a3c28726af1b3e6f", "name": "IOC - A Deep Dive into Water Gamayun\u2019s Arsenal and Infrastructure", "description": "", "modified": "2025-04-28T10:06:12.559000", "created": "2025-04-01T03:23:19.437000", "tags": [ "zero-day", "backdoor", "c&c", "stealc", "cve-2025-26633", "darkwisp", "lolbins", "stealer", "rhadamanthys", "encrypthub stealer", "powershell", "silentprism", "msc eviltwin" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "EncryptHub Stealer", "display_name": "EncryptHub Stealer", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": "67e7cba2606bdb8acfedda1c", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 62, "FileHash-SHA1": 62, "FileHash-SHA256": 108, "hostname": 1, "CVE": 1, "URL": 3 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ee1f848149d93d8d8043d7", "name": "A Deep Dive into Water Arsenal and Infrastructure", "description": "", "modified": "2025-04-28T10:06:12.559000", "created": "2025-04-03T05:41:24.498000", "tags": [ "zero-day", "backdoor", "c&c", "stealc", "cve-2025-26633", "darkwisp", "lolbins", "stealer", "rhadamanthys", "encrypthub stealer", "powershell", "silentprism", "msc eviltwin" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "EncryptHub Stealer", "display_name": "EncryptHub Stealer", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": "67e7cba2606bdb8acfedda1c", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 62, "FileHash-SHA1": 62, "FileHash-SHA256": 108, "hostname": 1, "CVE": 1, "URL": 3 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e52f6dfb82913704567051", "name": "CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin", "description": "Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.", "modified": "2025-04-26T10:00:24.389000", "created": "2025-03-27T10:58:53.897000", "tags": [ "disease vector", "sha256", "detection", "msc eviltwin", "filename", "water gamayun", "files", "related", "domain", "description", "trojanspy" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 52, "domain": 4 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "400 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e52f6e175c81db27157631", "name": "CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin", "description": "Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.", "modified": "2025-04-26T10:00:24.389000", "created": "2025-03-27T10:58:54.536000", "tags": [ "disease vector", "sha256", "detection", "msc eviltwin", "filename", "water gamayun", "files", "related", "domain", "description", "trojanspy" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 52, "domain": 4 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "400 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e2c585ecb08a99a52c35ae", "name": "CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin", "description": "MSC EvilTwin is a security vulnerability that can be exploited to spy on users' computer systems, but can also expose them to a range of other malicious tools, such as malware, which can easily be hijacked.", "modified": "2025-04-24T15:04:04.010000", "created": "2025-03-25T15:02:29.286000", "tags": [ "disease vector", "sha256", "detection", "msc eviltwin", "filename", "water gamayun", "files", "related", "domain", "description", "trojanspy" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 52, "domain": 4 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e36bbcf1edad04004d2f97", "name": "IOC&TTP - CVE-2025-26633 How Water Gamayun Weaponizes MUIPath using MSC EvilTwin", "description": "\u672c\u6b21\u7814\u7a76\u63ed\u793a\u4e86\u4e00\u4e2a\u7531\u4fc4\u7f57\u65af\u653b\u51fb\u56e2\u4f53 Water Gamayun\uff08\u53c8\u540d EncryptHub\u3001Larva-208 \u7b49\uff09\u6240\u53d1\u52a8\u7684\u9ad8\u7ea7\u653b\u51fb\u6d3b\u52a8\uff0c\u653b\u51fb\u8005\u6ee5\u7528 Microsoft Management Console (MMC) \u6846\u67b6\u4e2d\u7684\u96f6\u65e5\u6f0f\u6d1e\uff08CVE-2025-26633\uff09\uff0c\u5e76\u5229\u7528\u4e86 MUIPath \u673a\u5236\u6765\u52a0\u8f7d\u5e76\u6267\u884c\u540d\u4e3a\u201cMSC EvilTwin\u201d\u7684\u6076\u610f\u4ee3\u7801\u3002\u6b64\u6076\u610f\u624b\u6cd5\u5305\u542b\u4ee5\u4e0b\u5173\u952e\u7279\u70b9\uff1a\n\nMSC EvilTwin \u6280\u672f\uff1a\u901a\u8fc7\u201c\u540c\u540d\u4e14\u4e0d\u540c\u4f4d\u7f6e\u201d\u7684 .msc \u6587\u4ef6\uff0c\u8bf1\u4f7f mmc.exe \u53bb\u52a0\u8f7d\u5e76\u6267\u884c\u4f4d\u4e8e en-US \u76ee\u5f55\u4e0b\u7684\u6076\u610f .msc \u6587\u4ef6\uff0c\u4ece\u800c\u7ed5\u8fc7\u5e38\u89c4\u5b89\u5168\u68c0\u6d4b\u3002\n\n\u5229\u7528 MMC \u7684\u591a\u79cd\u6267\u884c\u624b\u6bb5\uff1a\u653b\u51fb\u8005\u5728\u5305\u542b ActiveX \u63a7\u4ef6\u7684 .msc \u6587\u4ef6\u4e2d\u5d4c\u5165\u7279\u5b9a\u811a\u672c\uff0c\u501f\u6b64\u5728\u53d7\u5bb3\u8005\u673a\u5668\u4e0a\u89e6\u53d1 mmc.exe \u7684\u67d0\u4e9b\u65b9\u6cd5\uff08\u5982 ExecuteShellCommand\uff09\uff0c\u4ece\u800c\u6267\u884c\u4efb\u610f\u547d\u4ee4\u6216\u4e0b\u8f7d\u540e\u7eed Payload\u3002\n\n\u4f2a\u9020\u7cfb\u7edf\u76ee\u5f55\uff1a\u901a\u8fc7\u521b\u5efa\u4f8b\u5982 \u201cC:\\Windows \\System32\u201d \u7b49\u5e26\u7a7a\u683c\u6216\u7279\u6b8a\u5b57\u7b26\u7684\u76ee\u5f55\uff0c\u4f2a\u88c5\u6210\u4e0e\u7cfb\u7edf\u6587\u4ef6\u8def\u5f84\u76f8\u4f3c\u7684\u5408\u6cd5\u8def\u5f84\uff0c\u8fdb\u800c\u5728\u9ad8\u6743\u9650\u5e94\u7528\u52a0\u8f7d\u65f6\u5229\u7528\u9519\u8bef\u7684\u8def\u5f84\u9a8c\u8bc1\u673a\u5236\u3002\n\n\u6076\u610f\u8f7d\u8377\u591a\u6837\u6027\uff1aWater Gamayun \u4e0d\u4ec5\u4ec5\u4f9d\u8d56\u6b64\u96f6\u65e5\u6f0f\u6d1e\u6295\u9012\u540e\u7eed\u7ec4\u4ef6\uff0c\u4e5f\u540c\u65f6\u5728\u653b\u51fb\u4e2d\u4f7f\u7528\u5176\u4ed6\u5b9a\u5236\u5316\u6a21\u5757\u53ca\u4fe1\u606f\u7a83\u53d6\u7a0b\u5e8f\uff0c\u5982 EncryptHub stealer\u3001DarkWisp\u3001SilentPrism\u3001Stealc\u3001Rhadamanthys \u7b49\u3002", "modified": "2025-04-24T15:04:04.010000", "created": "2025-03-26T02:51:40.420000", "tags": [ "disease vector", "sha256", "msc eviltwin", "water gamayun", "trojanspy", "zero-day", "Windows", "EncryptHub", "CVE-2025-26633", "backdoor", "github", "infostealer" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [], "malware_families": [ { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "EncryptHub", "display_name": "EncryptHub", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null } ], "attack_ids": [ { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [], "TLP": "white", "cloned_from": "67e31bb008959a0b0a250d43", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 52, "domain": 4 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef6e2da8ee27d47d7fbb56", "name": "CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin", "description": "", "modified": "2025-04-24T15:04:04.010000", "created": "2025-04-04T05:29:17.354000", "tags": [ "disease vector", "sha256", "msc eviltwin", "water gamayun", "trojanspy", "zero-day", "Windows", "EncryptHub", "CVE-2025-26633", "backdoor", "github", "infostealer" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [], "malware_families": [ { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "EncryptHub", "display_name": "EncryptHub", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null } ], "attack_ids": [ { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [], "TLP": "white", "cloned_from": "67e31bb008959a0b0a250d43", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 52, "domain": 4 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt", "https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html", "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "related": { "alienvault": { "adversary": [ "Water Gamayun" ], "malware_families": [ "Rhadamanthys", "Silentprism", "Encrypthub", "Stealc", "Encrypthub stealer", "Darkwisp" ], "industries": [ "Government", "Defense" ] }, "other": { "adversary": [ "Water Gamayun" ], "malware_families": [ "C", "A", "Rhadamanthys", "Silentprism", "Encrypthub", "Trojanspy", "Stealc", "Encrypthub stealer", "Darkwisp" ], "industries": [ "Government", "Defense" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "67e7cba2606bdb8acfedda1c", "name": "A Deep Dive into Water Arsenal and Infrastructure", "description": "Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and Rhadamanthys. Their delivery methods include malicious provisioning packages, signed .msi files, and Windows MSC files. The attackers employ techniques such as LOLBins and encrypted communications to evade detection. Their infrastructure includes C&C servers for managing infected systems and exfiltrating data. The campaign highlights the group's adaptability and sophistication in cyber espionage operations.", "modified": "2025-04-28T10:06:12.559000", "created": "2025-03-29T10:29:54.426000", "tags": [ "zero-day", "backdoor", "c&c", "stealc", "cve-2025-26633", "darkwisp", "lolbins", "stealer", "rhadamanthys", "encrypthub stealer", "powershell", "silentprism", "msc eviltwin" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "EncryptHub Stealer", "display_name": "EncryptHub Stealer", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 62, "FileHash-SHA1": 62, "FileHash-SHA256": 108, "hostname": 1, "CVE": 1, "URL": 3 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 386612, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e31bb008959a0b0a250d43", "name": "CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin", "description": "Trend Research uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework to execute malicious code, named MSC EvilTwin (CVE-2025-26633).", "modified": "2025-04-24T15:04:04.010000", "created": "2025-03-25T21:10:08.643000", "tags": [ "disease vector", "sha256", "msc eviltwin", "water gamayun", "trojanspy", "zero-day", "Windows", "EncryptHub", "CVE-2025-26633", "backdoor", "github", "infostealer" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [], "malware_families": [ { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "EncryptHub", "display_name": "EncryptHub", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null } ], "attack_ids": [ { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [], "TLP": "white", "cloned_from": "67e2c585ecb08a99a52c35ae", "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 52, "domain": 4 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 386610, "modified_text": "402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ebb383c09e67bf08f536e4", "name": "A Deep Dive into Water Gamayun\u2019s Arsenal and Infrastructure", "description": "Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.", "modified": "2025-05-01T09:02:21.300000", "created": "2025-04-01T09:36:03.598000", "tags": [ "sha256", "detection", "filename", "dive", "water gamayun", "arsenal", "infrastructure", "files", "backdoor", "msc eviltwin", "silentprism", "darkwisp", "encrypthub", "a", "c", "trojanspy" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "EncryptHub", "display_name": "EncryptHub", "target": null }, { "id": "A", "display_name": "A", "target": null }, { "id": "C", "display_name": "C", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 55, "FileHash-SHA1": 55, "FileHash-SHA256": 105, "hostname": 1 }, "indicator_count": 224, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67eb5c27a3c28726af1b3e6f", "name": "IOC - A Deep Dive into Water Gamayun\u2019s Arsenal and Infrastructure", "description": "", "modified": "2025-04-28T10:06:12.559000", "created": "2025-04-01T03:23:19.437000", "tags": [ "zero-day", "backdoor", "c&c", "stealc", "cve-2025-26633", "darkwisp", "lolbins", "stealer", "rhadamanthys", "encrypthub stealer", "powershell", "silentprism", "msc eviltwin" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "EncryptHub Stealer", "display_name": "EncryptHub Stealer", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": "67e7cba2606bdb8acfedda1c", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 62, "FileHash-SHA1": 62, "FileHash-SHA256": 108, "hostname": 1, "CVE": 1, "URL": 3 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ee1f848149d93d8d8043d7", "name": "A Deep Dive into Water Arsenal and Infrastructure", "description": "", "modified": "2025-04-28T10:06:12.559000", "created": "2025-04-03T05:41:24.498000", "tags": [ "zero-day", "backdoor", "c&c", "stealc", "cve-2025-26633", "darkwisp", "lolbins", "stealer", "rhadamanthys", "encrypthub stealer", "powershell", "silentprism", "msc eviltwin" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "EncryptHub Stealer", "display_name": "EncryptHub Stealer", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": "67e7cba2606bdb8acfedda1c", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 62, "FileHash-SHA1": 62, "FileHash-SHA256": 108, "hostname": 1, "CVE": 1, "URL": 3 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e52f6dfb82913704567051", "name": "CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin", "description": "Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.", "modified": "2025-04-26T10:00:24.389000", "created": "2025-03-27T10:58:53.897000", "tags": [ "disease vector", "sha256", "detection", "msc eviltwin", "filename", "water gamayun", "files", "related", "domain", "description", "trojanspy" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 52, "domain": 4 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "400 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e52f6e175c81db27157631", "name": "CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin", "description": "Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.", "modified": "2025-04-26T10:00:24.389000", "created": "2025-03-27T10:58:54.536000", "tags": [ "disease vector", "sha256", "detection", "msc eviltwin", "filename", "water gamayun", "files", "related", "domain", "description", "trojanspy" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 52, "domain": 4 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "400 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e2c585ecb08a99a52c35ae", "name": "CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin", "description": "MSC EvilTwin is a security vulnerability that can be exploited to spy on users' computer systems, but can also expose them to a range of other malicious tools, such as malware, which can easily be hijacked.", "modified": "2025-04-24T15:04:04.010000", "created": "2025-03-25T15:02:29.286000", "tags": [ "disease vector", "sha256", "detection", "msc eviltwin", "filename", "water gamayun", "files", "related", "domain", "description", "trojanspy" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 52, "domain": 4 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e36bbcf1edad04004d2f97", "name": "IOC&TTP - CVE-2025-26633 How Water Gamayun Weaponizes MUIPath using MSC EvilTwin", "description": "\u672c\u6b21\u7814\u7a76\u63ed\u793a\u4e86\u4e00\u4e2a\u7531\u4fc4\u7f57\u65af\u653b\u51fb\u56e2\u4f53 Water Gamayun\uff08\u53c8\u540d EncryptHub\u3001Larva-208 \u7b49\uff09\u6240\u53d1\u52a8\u7684\u9ad8\u7ea7\u653b\u51fb\u6d3b\u52a8\uff0c\u653b\u51fb\u8005\u6ee5\u7528 Microsoft Management Console (MMC) \u6846\u67b6\u4e2d\u7684\u96f6\u65e5\u6f0f\u6d1e\uff08CVE-2025-26633\uff09\uff0c\u5e76\u5229\u7528\u4e86 MUIPath \u673a\u5236\u6765\u52a0\u8f7d\u5e76\u6267\u884c\u540d\u4e3a\u201cMSC EvilTwin\u201d\u7684\u6076\u610f\u4ee3\u7801\u3002\u6b64\u6076\u610f\u624b\u6cd5\u5305\u542b\u4ee5\u4e0b\u5173\u952e\u7279\u70b9\uff1a\n\nMSC EvilTwin \u6280\u672f\uff1a\u901a\u8fc7\u201c\u540c\u540d\u4e14\u4e0d\u540c\u4f4d\u7f6e\u201d\u7684 .msc \u6587\u4ef6\uff0c\u8bf1\u4f7f mmc.exe \u53bb\u52a0\u8f7d\u5e76\u6267\u884c\u4f4d\u4e8e en-US \u76ee\u5f55\u4e0b\u7684\u6076\u610f .msc \u6587\u4ef6\uff0c\u4ece\u800c\u7ed5\u8fc7\u5e38\u89c4\u5b89\u5168\u68c0\u6d4b\u3002\n\n\u5229\u7528 MMC \u7684\u591a\u79cd\u6267\u884c\u624b\u6bb5\uff1a\u653b\u51fb\u8005\u5728\u5305\u542b ActiveX \u63a7\u4ef6\u7684 .msc \u6587\u4ef6\u4e2d\u5d4c\u5165\u7279\u5b9a\u811a\u672c\uff0c\u501f\u6b64\u5728\u53d7\u5bb3\u8005\u673a\u5668\u4e0a\u89e6\u53d1 mmc.exe \u7684\u67d0\u4e9b\u65b9\u6cd5\uff08\u5982 ExecuteShellCommand\uff09\uff0c\u4ece\u800c\u6267\u884c\u4efb\u610f\u547d\u4ee4\u6216\u4e0b\u8f7d\u540e\u7eed Payload\u3002\n\n\u4f2a\u9020\u7cfb\u7edf\u76ee\u5f55\uff1a\u901a\u8fc7\u521b\u5efa\u4f8b\u5982 \u201cC:\\Windows \\System32\u201d \u7b49\u5e26\u7a7a\u683c\u6216\u7279\u6b8a\u5b57\u7b26\u7684\u76ee\u5f55\uff0c\u4f2a\u88c5\u6210\u4e0e\u7cfb\u7edf\u6587\u4ef6\u8def\u5f84\u76f8\u4f3c\u7684\u5408\u6cd5\u8def\u5f84\uff0c\u8fdb\u800c\u5728\u9ad8\u6743\u9650\u5e94\u7528\u52a0\u8f7d\u65f6\u5229\u7528\u9519\u8bef\u7684\u8def\u5f84\u9a8c\u8bc1\u673a\u5236\u3002\n\n\u6076\u610f\u8f7d\u8377\u591a\u6837\u6027\uff1aWater Gamayun \u4e0d\u4ec5\u4ec5\u4f9d\u8d56\u6b64\u96f6\u65e5\u6f0f\u6d1e\u6295\u9012\u540e\u7eed\u7ec4\u4ef6\uff0c\u4e5f\u540c\u65f6\u5728\u653b\u51fb\u4e2d\u4f7f\u7528\u5176\u4ed6\u5b9a\u5236\u5316\u6a21\u5757\u53ca\u4fe1\u606f\u7a83\u53d6\u7a0b\u5e8f\uff0c\u5982 EncryptHub stealer\u3001DarkWisp\u3001SilentPrism\u3001Stealc\u3001Rhadamanthys \u7b49\u3002", "modified": "2025-04-24T15:04:04.010000", "created": "2025-03-26T02:51:40.420000", "tags": [ "disease vector", "sha256", "msc eviltwin", "water gamayun", "trojanspy", "zero-day", "Windows", "EncryptHub", "CVE-2025-26633", "backdoor", "github", "infostealer" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [], "malware_families": [ { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "EncryptHub", "display_name": "EncryptHub", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null } ], "attack_ids": [ { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [], "TLP": "white", "cloned_from": "67e31bb008959a0b0a250d43", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 52, "domain": 4 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cryptolabstudio.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cryptolabstudio.com", "found": true, "verdict": "malicious", "url_count": 6, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://cryptolabstudio.com/payload/repo/hvnc/ngrok.zip", "status": "offline", "threat": "malware_download", "date_added": "2024-07-28", "tags": [ "ngrok", "opendir", "zip" ] }, { "url": "http://cryptolabstudio.com/payload/repo/hvnc/ngrok.zip", "status": "offline", "threat": "malware_download", "date_added": "2024-07-28", "tags": [ "ngrok", "opendir", "zip" ] }, { "url": "http://cryptolabstudio.com/payload/repo/hvnc/server.zip", "status": "offline", "threat": "malware_download", "date_added": "2024-07-28", "tags": [ "opendir", "zip" ] }, { "url": "https://cryptolabstudio.com/payload/repo/hvnc/server.zip", "status": "offline", "threat": "malware_download", "date_added": "2024-07-28", "tags": [ "opendir", "zip" ] }, { "url": "http://cryptolabstudio.com/payload/repo/repo.rar", "status": "offline", "threat": "malware_download", "date_added": "2024-07-28", "tags": [ "opendir", "rar" ] }, { "url": "https://cryptolabstudio.com/payload/repo/repo.rar", "status": "offline", "threat": "malware_download", "date_added": "2024-07-28", "tags": [ "opendir", "rar" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780286229.7443194 }