Every day in December, we’re taking a look back at some of our favorite content of 2025. Today, BenMcCarthy​, Lead Cyber Security Engineer, shares his analysis of how Russian threat actor Water Gamayun exploited a zero-day vulnerability in Microsoft.

Water Gamayun: (CVE-2025-26633) Campaign Analysis

On March 25, 2025, Trend Micro's research team identified a campaign conducted by the Russian threat actor Water Gamayun. It exploited CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console (MMC) that allows attackers to execute malicious code, deploy stealer malware, and exfiltrate data. 

In this lab, you'll learn about this vulnerability and how it facilitates a wider data theft campaign.

Why this lab? 

I always find it interesting when zero-days are discovered as part of a malware campaign. The threat actor Water Gamayun exploited a previously unknown vulnerability to increase the campaign’s impact. 

Threat actors are always trying to find new file formats that detection tools don’t look for, and this is a great example of a campaign that does exactly that.

Start the Water Gamayun: (CVE-2025-26633) Campaign Analysis lab now, where you’ll adopt the role of a security analyst and identify indicators of compromise. Good luck!