Zscaler Threat Hunting Discovers and Reconstructs a Sophisticated Water Gamayun APT Group Attack

This blog is intended to share an in-depth analysis of a recent multi-stage attack attributed to the Water Gamayun advanced persistent threat group (APT). Drawing on telemetry, forensic reconstruction, and known threat intelligence, the Zscaler Threat Hunting team reconstructed how a seemingly innocuous web search led to a sophisticated exploitation of a Windows MMC vulnerability, ultimately delivering hidden PowerShell payloads and final malware loaders.
 

Key Takeaways

• A compromised legitimate site and a lookalike domain were used in tandem to deliver a double-extension RAR payload disguised as a PDF, abusing user trust.
• The initial payload exploited MSC EvilTwin (CVE-2025-26633) to inject code into mmc.exe, leveraging TaskPad snap-in commands to kick off a series of hidden PowerShell stages.
• A compromised website, layered obfuscation, password-protected archives, and process-hiding via a small .NET class kept user detection to a minimum while a decoy document was used to preserve the user's perception of a normal interaction.
• Zscaler Threat Hunting attributed the campaign with high confidence to Water Gamayun based on TTPs consistent with public reporting, including their unique exploitation of MSC EvilTwin, signature obfuscation patterns, infrastructure dual-path design, window-hiding tradecraft, and specific social engineering themes
   

Technical Analysis

Water Gamayun is a Russia-aligned APT group known for targeting enterprise and government networks with stealthy information-stealing campaigns. Their objectives typically include exfiltration of sensitive data, credential harvesting, and long-term persistence through backdoors and custom RATs. Over the past year, Water Gamayun has refined a portfolio of techniques that blend zero-day exploitation, trusted-binary proxy execution, and layered PowerShell obfuscation to evade modern security stacks.

Zscaler Threat Hunting recently detected a campaign using suspicious double file extension RAR file downloads. We traced this event back to a compromised BELAY Solutions web page that redirected victims to a newly registered lookalike domain. That domain served a RAR archive masquerading as a PDF brochure, triggering the attack foothold.
 

Phase 1: Search and Redirect

A normal Bing search for “belay” leads to belaysolutions[.]com. The website is potentially injected with JavaScript that performs a silent redirect to belaysolutions[.]link, which hosts the double-extension archive.

• Bing Search URL: www[.]bing[.]com/search?q=belay&[TRUNCATED]
   
• Masqueraded RAR URL: belaysolutions[.]link/pdf/hiring_assistant[.]pdf[.]rar
   

Phase 2: MS­C EvilTwin Exploitation

Opening Hiring_assistant.pdf.rar drops an .msc file. When run, mmc.exe resolves MUI paths that load the malicious snap-in instead of the legitimate one, triggering embedded TaskPad commands with an encoded PowerShell payload.

Phase 3: Stage-1 PowerShell

Decoded via -EncodedCommand, this script downloads UnRAR[.]exe and a password-protected RAR, extracts the next stage, waits briefly, then Invoke-Expression on the extracted script.

Phase 4: Stage-2PowerShell

This second script compiles C# WinHpXN to hide console windows, displays a decoy PDF, and downloads, extracts, and executes the final loader ItunesC.exe multiple times for persistence.

Phase 5: Final Payload Execution

ItunesC[.]exe installs backdoors or stealers. We were unable to confirm the precise malware family in this specific instance because the Command and Control (C2) infrastructure was non-responsive.. However, Water Gamayun’s arsenal includes EncryptHub, SilentPrism, DarkWisp, and Rhadamanthys, so it is highly likely that any of these malware could have been installed.

Who is Water Gamayun and What Drives Them?

Water Gamayun has emerged in public reporting throughout 2025 as a sophisticated, likely Russian threat actor specializing in supply-chain and zero-day–driven intrusion campaigns. Their primary motives appear to be:

• Strategic intelligence gathering against organizations of high commercial or geopolitical value
• Credential theft to facilitate further compromise or lateral movement
• Long-term persistence via custom backdoors such as SilentPrism and DarkWisp, and information-stealers like EncryptHub and Rhadamanthys

Their operations often feature:

• Exploitation of novel vulnerabilities, including CVE-2025-26633 for MSC EvilTwin
• Trusted-binary proxy execution, running hidden scripts through mmc.exe or other legitimate Windows binaries
• Complex obfuscation chains, employing nested Base64, UTF-16LE encoding, and runtime string cleanup
• High OPSEC standards, using strong archive passwords, randomized C2 paths, and decoy documents
   
   

How Zscaler Threat Hunting Attributed This Campaign

Zscaler Threat Hunting attribution is grounded in multiple converging lines of evidence:

1. Exploitation of MSC EvilTwin
   The first payload exploited CVE-2025-26633, a weakness in MMC’s multilingual path resolution. This exploit vector is rare in the wild and consistently tied to Water Gamayun’s malware delivery campaigns.
    
2. Signature PowerShell Obfuscation
   The nested Base64 UTF-16LE with underscore-replace obfuscation, followed by Invoke-Expression, is a hallmark seen in publicly documented Water Gamayun scripts. We matched the exact string manipulation patterns documented in prior analyses.
    
3. Process-Hiding via Win32 API
   Compiling a minimal .NET class called WinHpXN to call `ShowWindow` and hide console windows aligns directly with previous Water Gamayun tradecraft notes. Zscaler Threat Hunting located identical code snippets in open-source reporting on the group’s 2025 campaigns.
    
4. Infrastructure Patterns
   All payloads and tools were hosted on a single IP (103[.]246[.]147[.]17) with two randomized path prefixes (`/cAKk9xnTB/` and `/yyC15x4zbjbTd/`), matching the group’s dual-path C2 architecture observed in the past campaigns.
    
5. Social Engineering Theme
   The “Hiring_assistant.pdf” lure and follow-on “iTunesC” branding match Water Gamayun’s history of employment- and consumer-themed decoys.
    
6. Password Complexity
   The 21-character alphanumeric archive passwords k5vtzxdeDzicRCT and jkN5yyC15x4zbjbTdUS3y meet the OPSEC profile Water Gamayun is known to apply to evade sandbox automation.

By correlating these technical markers with our telemetry, Zscaler Threat Hunting concluded with high confidence that Water Gamayun orchestrated this MSC EvilTwin–driven campaign.

Zscaler Threat Hunting Coverage

Zscaler Threat Hunting stands at the forefront of proactive threat detection by combining global scale telemetry, advanced analytics, and the expertise of seasoned threat hunters. At the heart of this capability is Zscaler’s Zero Trust Exchange, which brokers every user connection to apps and data, providing unmatched visibility into real-time web traffic, SSL flows, and cloud activity. With over 500 billion transactions analyzed daily, Zscaler Threat Hunting harnesses this cloud-scale data to spot subtle behaviors and anomalies that would otherwise go undetected in siloed environments.

Detection does not start with an alert, it starts with a hypothesis. Zscaler Threat Hunting analysts actively hunt for emerging tactics, techniques, and procedures (TTPs) of adversaries like Water Gamayun, guided by threat intelligence, observed tradecraft, and enriched anomaly detection. Analysts look for clues such as masqueraded file extension download, network connections to uncategorized or newly registered domains, and the use of trusted binaries for proxy execution.

Zscaler Threat Hunting and Zscaler ThreatLabz work in close partnership to turn threat hunting findings into scalable protection. When the hunting team uncovers a new threat campaign, ThreatLabz provides continuous analysis to operationalize that intelligence into durable, platform-wide security controls where applicable. The indicators discussed in this blog are now part of the platform’s detection logic to safeguard customers. 

Detection Recommendations

Indicators of Compromise (IOCs)

Conclusion

This campaign underscores Water Gamayun’s evolving sophistication that is melding brand trust, zero-day exploitation, and advanced obfuscation to bypass traditional defenses. Zscaler Threat Hunting’s forensic reconstruction and threat intelligence correlate rare exploitation of MSC EvilTwin, signature PowerShell obfuscation, window-hiding code, and dual-path infrastructure to definitively attribute the attack.