Analytics Story: Water Gamayun
Description
This analytic story contains detections for techniques used by the Water Gamayun threat actor, which targets telecommunications and financial sectors. The group employs various techniques including MSC EvilTwin exploitation, custom backdoors, information stealers, and sophisticated reconnaissance methods.
Why it matters
Water Gamayun is a threat actor that has been active since at least late 2023. They target organizations primarily in the telecommunications and financial sectors through a combination of sophisticated techniques and custom malware. Their initial access vectors include signed MSI files, Living Off The Land Binaries and Scripts (LOLBAS), and exploitation of MSC vulnerability (dubbed "EvilTwin") which manipulates directory paths with spaces to bypass security controls.
The actor's toolkit includes several custom components:
- SilentPrism: A backdoor for command and control
- DarkWisp: A backdoor with TCP communication capabilities
- EncryptHub: An information stealer targeting credentials and system information
The group is notable for their use of Telegram as a command and control channel, the exploitation of the MSC EvilTwin technique (CVE-2025-26633), and detailed reconnaissance of victim systems including geolocation data collection.
Defensive recommendations include implementing application control policies, monitoring for unusual PowerShell activities and MSC file executions with abnormal command-line parameters, and securing administrative tools that could be abused by attackers.
Detections
Data Sources
| Name | Platform | Sourcetype | Source | 
|---|---|---|---|
| Cisco Network Visibility Module Flow Data | cisco:nvm:flowdata | not_applicable | |
| CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor | crowdstrike | 
| Powershell Script Block Logging 4104 | XmlWinEventLog | XmlWinEventLog:Microsoft-Windows-PowerShell/Operational | |
| Sysmon EventID 1 | XmlWinEventLog | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | |
| Sysmon EventID 10 | XmlWinEventLog | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | |
| Sysmon EventID 15 | XmlWinEventLog | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | |
| Sysmon EventID 22 | XmlWinEventLog | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | |
| Sysmon EventID 3 | XmlWinEventLog | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | |
| Sysmon EventID 7 | XmlWinEventLog | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | |
| Sysmon EventID 8 | XmlWinEventLog | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | |
| Windows Event Log Security 4688 | XmlWinEventLog | XmlWinEventLog:Security | |
| Windows Event Log Security 4698 | XmlWinEventLog | XmlWinEventLog:Security | |
| Windows Event Log Security 4798 | XmlWinEventLog | XmlWinEventLog:Security | 
References
- https://securityintelligence.com/posts/new-threat-actor-water-gamayun-targets-telecom-finance/
- https://www.ncsc.gov.uk/report/weekly-threat-report-12th-april-2024
Source: GitHub | Version: 1