BURSTA sophisticated campaign by Russian threat actors exploiting a critical zero-day vulnerability in the Microsoft Management Console (MMC).
The vulnerability, CVE-2025-26633, allows attackers to bypass security features and execute malicious code on targeted systems.
Trend Research identified the Russian hacking group Water Gamayun (also known as EncryptHub and Larva-208) as the primary threat actor behind this campaign.
MMC Zero-Day Vulnerability Exploited
The group has weaponized the vulnerability, dubbed “MSC EvilTwin,” to deliver a range of malicious payloads, including information stealers and backdoors.
The recent attack exploits a previously unidentified vulnerability in the Microsoft Management Console (MMC) framework, which serves as a core component for system administration and configuration within Windows systems, as reported by Aliakbar Zahravi of Trend Micro.
By manipulating Microsoft Console (.msc) files and abusing the Multilingual User Interface Path (MUIPath) feature, attackers can trick the system into executing malicious code while appearing to run legitimate administrative tools.
Stop attacks before they start, powered by a 97% precise neural Network to Detect Cyber Attacks
Security experts warn that the impact of this vulnerability extends far beyond immediate code execution. Successful exploitation could enable lateral movement within networks, data exfiltration, and even deployment of ransomware.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory, adding CVE-2025-26633 to its Known Exploited Vulnerabilities Catalog and mandating federal agencies to patch affected systems by April 1, 2025.
The severity of the threat is underscored by its inclusion in Microsoft’s March 2025 Patch Tuesday update, which addressed a total of six actively exploited zero-day vulnerabilities.
Chris Goettl, vice president of product management for security products at Ivanti, emphasized the critical nature of this month’s updates, stating, “While the initial appearance of the March Patch Tuesday may seem gentle, this lamb could possess the ferocity of a lion.”
Water Gamayun’s arsenal in this campaign is particularly concerning. Researchers have identified multiple modules associated with the attack, including:
- EncryptHub stealer
- DarkWisp backdoor
- SilentPrism backdoor
- MSC EvilTwin loader
- Stealc
- Rhadamanthys stealer
These tools enable the threat actors to maintain persistence on compromised systems and exfiltrate sensitive data to command-and-control servers.
The vulnerability affects a wide range of Windows versions, with older systems like Windows Server 2016 and earlier being particularly at risk due to weaker default protections. However, even modern Windows installations are not immune to the threat.
To mitigate the risk, organizations are strongly advised to:
- Apply the latest security patches immediately, prioritizing systems using MMC for remote administration.
- Restrict network access to MMC ports and enforce network segmentation.
- Implement robust monitoring for anomalous MMC activity and unusual process creation.
- Audit MMC usage and limit administrative privileges across the network.
Microsoft recommends disabling remote MMC access for systems that cannot be patched immediately, though this may disrupt some IT workflows.
As attackers continue to refine their tactics and target critical system components, maintaining vigilant cybersecurity practices and prompt patching remains paramount for organizations and individuals alike.
With the potential for this vulnerability to be chained with other recently disclosed flaws affecting Windows file systems and kernel components, the urgency to address these security issues cannot be overstated.
As the security community continues to analyze the full scope of the Water Gamayun campaign, users are urged to stay informed and take immediate action to protect their systems from this significant threat.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code appeared first on Cyber Security News.