
Microsoft Management Console - Snap-ins listed in the management console
Trend Micro has uncovered a new campaign orchestrated by the threat group Water Gamayun, in which adversaries exploited a vulnerability within the Microsoft Management Console (MMC) to execute malicious code via specially crafted .msc
files.
The technique, dubbed MSC EvilTwin, represents a sophisticated form of Trojan deployment that leverages native Windows functionality. The attack exploits a flaw tracked as CVE-2025-26633 (CVSS score: 7.0), which was addressed in Microsoft’s March Patch Tuesday update.
At the heart of the attack lies a substitution of a legitimate Windows console file with a malicious counterpart within the en-US
language directory. Due to the behavior of the MUIPath component, the spoofed file is invoked instead of the original, allowing a malicious PowerShell script to be executed invisibly to the user.
A particularly insidious aspect of the attack is the .msc
file’s capability to embed scriptable elements and load malicious HTML content. Leveraging embedded ActiveX components and the Internet Explorer rendering engine, attackers invoke the ExecuteShellCommand
method to run commands under the context of a trusted Windows application. Simply launching the tampered console file is sufficient to trigger the malicious payload.
Further obfuscation is achieved through the creation of “fake” system directories. By inserting trailing spaces or special characters, attackers craft folders that visually mimic trusted paths—such as C:\Windows \System32
. These directories house malicious versions of system binaries, effectively bypassing basic validation checks and facilitating privileged code execution.
The MSC EvilTwin loader, developed in PowerShell, employs all of the aforementioned techniques. It is distributed via .msi
installers disguised as legitimate Chinese software, such as DingTalk. Upon installation, the loader downloads encrypted payloads from a remote server, extracts both a legitimate and a modified .msc
file, and places them within the decoy directories.
When the innocuous .msc
file is launched, the MUIPath mechanism redirects execution to the malicious version, which in turn loads external HTML content hosted by the attackers. This content contains scripts that invoke ExecuteShellCommand
to run a subsequent PowerShell routine—typically a loader for the Rhadamanthys infostealer.
Although the technique was first observed in April 2024, it has only recently been fully documented and formally recognized as a security vulnerability. In addition to the EvilTwin loader, Water Gamayun’s arsenal includes spyware like EncryptHub, backdoors such as DarkWisp and SilentPrism, and a range of infostealers including Stealc and Rhadamanthys. The vulnerability was remediated by Microsoft and the Zero Day Initiative with a patch released on March 11.