Listen to this Post
A Russian threat actor known as Water Gamayun is exploiting a Windows zero-day vulnerability (CVE-2025-26633) to deploy two sophisticated backdoors—SilentPrism and DarkWisp. The attackers disguise their malware within signed .msi files, impersonating legitimate applications like DingTalk and VooV, to compromise systems undetected.
Key Tactics & Techniques
- Living-off-the-land (LotL): Leveraging trusted system tools (PowerShell, WMI) to evade detection.
- PowerShell Implants: Executing malicious scripts in memory to avoid disk-based detection.
- Fake WinRAR Sites: Distributing trojanized installers via spoofed software download portals.
- Credential & Data Theft: Targeting sensitive information, including crypto wallets.
🔗 Learn more: https://lnkd.in/duU7QEiM
You Should Know: Detecting & Mitigating This Threat
1. Check for CVE-2025-26633 Exploitation
Run the following PowerShell command to check for suspicious MSI installations:
Get-WinEvent -LogName "Application" | Where-Object { $<em>.Message -like "MSI installer" -and $</em>.Message -match "DingTalk|VooV" }
2. Detect SilentPrism & DarkWisp Indicators
Search for these persistence mechanisms:
Check scheduled tasks
Get-ScheduledTask | Where-Object { $_.TaskName -match "SilentPrism|DarkWisp" }
Look for unusual services
Get-Service | Where-Object { $_.DisplayName -match "Gamayun|Water" }
3. Block Malicious Domains via Firewall
Add these IoCs to your firewall/IDS:
iptables -A INPUT -s 91.234.19[.]123 -j DROP iptables -A INPUT -s 185.165.29[.]231 -j DROP
4. Disable Suspicious MSI Execution
Restrict MSI installations via Group Policy:
1. Open gpedit.msc
2. Navigate to:
`Computer Configuration → Administrative Templates → Windows Components → Windows Installer`
3. Enable “Disable MSI” for untrusted sources.
5. Memory Analysis with Volatility
If compromised, analyze memory dumps for PowerShell backdoors:
volatility -f memory.dump --profile=Win10x64_19041 pslist | findstr "powershell" volatility -f memory.dump --profile=Win10x64_19041 malfind -D dump_output/
6. Enable Enhanced PowerShell Logging
Add these registry settings:
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableTranscripting /t REG_DWORD /d 1 /f
7. Hunt for LOLBAS (Living-off-the-land Binaries)
Use LOLBAS Project to detect abuse of legitimate tools:
🔗 https://lolbas-project.github.io/
What Undercode Say
Water Gamayun’s attack chain highlights the dangers of signed malware and zero-day exploits. Organizations must:
– Patch CVE-2025-26633 immediately (if a patch exists).
– Enforce application whitelisting (AppLocker/Windows Defender Application Control).
– Monitor PowerShell & WMI activity via SIEM/Sysmon.
– Inspect MSI files with tools like Orca MSI Editor.
– Assume breach—conduct memory forensics if anomalies are detected.
Expected Output:
- Detection of malicious .msi files.
- Blocked connections to attacker C2 servers.
- Logged PowerShell script executions.
- Identified persistence mechanisms (scheduled tasks/services).
🔗 Reference: https://lnkd.in/duU7QEiM
References:
Reported By: Thehackernews A – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
