GitHub Repo

Analytics Story: Water Gamayun

Updated Date: 2026-05-13 ID: f3a9e8b6-7d21-42c5-9f6b-e4f8d1c936ea Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections for techniques used by the Water Gamayun threat actor, which targets telecommunications and financial sectors. The group employs various techniques including MSC EvilTwin exploitation, custom backdoors, information stealers, and sophisticated reconnaissance methods.

Why it matters

Water Gamayun is a threat actor that has been active since at least late 2023. They target organizations primarily in the telecommunications and financial sectors through a combination of sophisticated techniques and custom malware. Their initial access vectors include signed MSI files, Living Off The Land Binaries and Scripts (LOLBAS), and exploitation of MSC vulnerability (dubbed "EvilTwin") which manipulates directory paths with spaces to bypass security controls.

The actor's toolkit includes several custom components:

  • SilentPrism: A backdoor for command and control
  • DarkWisp: A backdoor with TCP communication capabilities
  • EncryptHub: An information stealer targeting credentials and system information

The group is notable for their use of Telegram as a command and control channel, the exploitation of the MSC EvilTwin technique (CVE-2025-26633), and detailed reconnaissance of victim systems including geolocation data collection.

Defensive recommendations include implementing application control policies, monitoring for unusual PowerShell activities and MSC file executions with abnormal command-line parameters, and securing administrative tools that could be abused by attackers.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses Anomaly
Enumerate Users Local Group Using Telegram Account Discovery TTP
Powershell Creating Thread Mutex Indicator Removal from Tools, PowerShell TTP
Windows Screen Capture Via Powershell Screen Capture TTP
Windows System Network Config Discovery Display DNS System Network Configuration Discovery Anomaly
Windows MSIExec Spawn Discovery Command Msiexec Anomaly
Suspicious Copy on System32 Rename Legitimate Utilities Anomaly
Windows MSC EvilTwin Directory Path Manipulation Match Legitimate Resource Name or Location, Exploitation for Client Execution, System Binary Proxy Execution TTP
Windows Exfiltration Over C2 Via Invoke RestMethod Exfiltration Over C2 Channel TTP
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr Scheduled Task/Job TTP
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Windows MsiExec HideWindow Rundll32 Execution Msiexec TTP
Mmc LOLBAS Execution Process Spawn Distributed Component Object Model, MMC TTP
GetWmiObject User Account with PowerShell Local Account Hunting
Windows PowerShell Export PfxCertificate Private Keys, Steal or Forge Authentication Certificates Anomaly
PowerShell 4104 Hunting PowerShell Hunting
LOLBAS With Network Traffic Ingress Tool Transfer, System Binary Proxy Execution, Exfiltration Over Web Service TTP
Windows HTTP Network Communication From MSIExec Msiexec Anomaly
Suspicious Process Executed From Container File Masquerade File Type, Malicious File TTP
Windows Masquerading Explorer As Child Process DLL TTP
Windows WMI Impersonate Token Windows Management Instrumentation Anomaly
Potential Telegram API Request Via CommandLine Exfiltration Over C2 Channel, Bidirectional Communication Anomaly
Windows MSIExec Remote Download Msiexec Anomaly
Windows LOLBAS Executed As Renamed File Rename Legitimate Utilities, Rundll32 TTP
Windows Cmdline Tool Execution From Non-Shell Process JavaScript Anomaly
Windows MSIExec DLLRegisterServer Msiexec TTP
Windows Process Injection Remote Thread Portable Executable Injection TTP
Download Files Using Telegram Ingress Tool Transfer TTP
Windows PowerShell Invoke-RestMethod IP Information Collection System Network Configuration Discovery, PowerShell, System Information Discovery Anomaly
Windows Known GraphicalProton Loaded Modules DLL Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4798 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Sysmon EventID 10 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 15 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

Source: GitHub | Version: 2