Today, we’ve released a brand-new lab focusing on the latest campaign conducted by Water Gamayun and their use of a zero-day vulnerability
Water Gamayun, also known as EncryptHub and Larva-208, is a threat actor (suspected to be of Russian origin) that has been observed exploiting a zero-day vulnerability in the Microsoft Management Console (MMC). This vulnerability has been dubbed MSC EvilTwin and assigned CVE-2025-26633.
This lab takes you through the campaign, explaining how the vulnerability works to allow the attacker to silently execute malicious code, and what actions on objective the threat actor performs.
Why should our customers care?
EncryptHub has been reported to have breached over 618 organizations to deploy StealC, SilentPrism, and ransomware for the purposes of maintaining persistence, stealing data, and causing severe operational disruption; therefore, our customers should be mindful of this threat actor and their tactics. Their use of a zero day vulnerability shows how standard Windows configurations can be abused by threat actors to silently transport this malware into a victims environment to allow attackers to fulfil their operational objectives.
Who is it for?
- Incident responders
- SOC analyst
- CTI Analysts
- Threat Hunters
Here is the link to the campaign analysis lab: https://immersivelabs.online/labs/water-gamayun-campaign-analysis
Immerser
Immerser