
























Water Gamayun is a Russia-aligned APT group known for targeting enterprise and government networks with stealthy information-stealing campaigns. Their objectives typically include exfiltration of sensitive data, credential harvesting, and long-term persistence through backdoors and custom RATs. Over the past year, Water Gamayun has refined a portfolio of techniques that blend zero-day exploitation, trusted-binary proxy execution, and layered PowerShell obfuscation to evade modern security stacks.
Zscaler Threat Hunting recently detected a campaign using suspicious double file extension RAR file downloads. We traced this event back to a compromised BELAY Solutions web page that redirected victims to a newly registered lookalike domain. That domain served a RAR archive masquerading as a PDF brochure, triggering the attack foothold.
Phase 1: Search and Redirect
A normal Bing search for “belay” leads to belaysolutions[.]com. The website is potentially injected with JavaScript that performs a silent redirect to belaysolutions[.]link, which hosts the double-extension archive.
Phase 2: MSC EvilTwin Exploitation
Opening Hiring_assistant.pdf.rar drops an .msc file. When run, mmc.exe resolves MUI paths that load the malicious snap-in instead of the legitimate one, triggering embedded TaskPad commands with an encoded PowerShell payload.

Phase 3: Stage-1 PowerShell
Decoded via -EncodedCommand, this script downloads UnRAR[.]exe and a password-protected RAR, extracts the next stage, waits briefly, then Invoke-Expression on the extracted script.

Phase 4: Stage-2PowerShell
This second script compiles C# WinHpXN to hide console windows, displays a decoy PDF, and downloads, extracts, and executes the final loader ItunesC.exe multiple times for persistence.

Phase 5: Final Payload Execution
ItunesC[.]exe installs backdoors or stealers. We were unable to confirm the precise malware family in this specific instance because the Command and Control (C2) infrastructure was non-responsive.. However, Water Gamayun’s arsenal includes EncryptHub, SilentPrism, DarkWisp, and Rhadamanthys, so it is highly likely that any of these malware could have been installed.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。