Indicators of compromise - CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin

===========================
Files
===========================

============================ MSI =========================

[Filename]				[SHA256]								[Detection]
DingTalk_v7.6.38.122510801.msi		cbb84155467087c4da2ec411463e4af379582bb742ce7009156756482868859c  	Trojan.Win32.RHADAMANTHYS.YXFCR
					015f0fdf24a19b98447fab5fa16abf929c1cf9be33e9455ce788909dd5a8dbfe  	Trojan.Win32.RHADAMANTHYS.YXFCT

EchonexMeets.exe			b1fa0ded2f0cc42a70b7a0c051f772cd6db76b15d50ec119307027e670998728 	TrojanSpy.Win32.RHADAMANTHYS.YXFCT

QQTalk.msi				725df91a9db2e077203d78b8bef95b8cf093e7d0ee2e7a4f55a30fe200c3bf8f  	Trojan.Win32.STEALC.YXFCG

VooV Meeting.msi			db3fe436f4eeb9c20dc206af3dfdff8454460ad80ef4bab03291528e3e0754ad  	TROJ_FRS.VSNTCI25

============================ MSC EvilTwin loader ============================

[SHA256]								[Detection]
b1b3d27deb35dd8c8fed75e878adae3f262475c8e8951d59e5df091562c2779b   	Trojan.PS1.FICKLESHADE.YXFCR
7f8bd2d63bb95d61fcbdb22827c3a3e46655f556da769d3880c62865e6fde820  	Trojan.PS1.FICKLESHADE.YXFCR
43eab8488dce80c1086aafdf4594b1a438347e32275abeaa8b2bb14475fb3f98 	Trojan.PS1.FICKLESHADE.YXFCR
1b3309c7a4c3940eff1e1ab1905641b23ea743c4f11d82107ce36fa1ec2299e9 	Trojan.PS1.FICKLESHADE.YXFCR
2aeb9aeca5739ea1cb5a30d284d65e36fe18f47db9e5e504063d982b9c3bc3e9 	Trojan.PS1.FICKLESHADE.YXFCR
9b830c2979cbce45573aa21d765adda76f52db254155ae49648ef5050ceaf774 	Trojan.PS1.FICKLESHADE.YXFCR
4e6f35ab5eb9242335bee01d6df9b50f665043f9930a630df7e170b904f52a24 	Trojan.PS1.FICKLESHADE.YXFCR
d76c25e2761210783055b43349370253d794e94ee913a2be7596b9554eacf107  	Trojan.PS1.FICKLESHADE.YXFCR
5357279bad530c3af89713aaf6befe19a22e438f22952aed46097590130551fa 	Trojan.PS1.FICKLESHADE.YXFCR
413dea8ea8cb09cd3ac49531a8e0a13f767c09f78fb77856f4668377532a64ef 	Trojan.PS1.FICKLESHADE.YXFCR
0943b0f328282504c2661cd56e4bd83e3b3e5a4cce89e2e5523f83a2d535a07e 	Trojan.PS1.FICKLESHADE.YXFCR
f5c97f23543e904944120ef738f300049eae85c3b0bf8b86b346572f7bc6dec1  	Trojan.PS1.FICKLESHADE.YXFCR
9e9ca325f44eeff4087bb67052536ba565da18e70e5b29c79ed77c14c5548131  	Trojan.PS1.FICKLESHADE.YXFCR
94ee2227696da3049ff67592834b4b6f98186f91e6d1cd1eeec44f24b9df754b   	Trojan.PS1.FICKLESHADE.THLACBD
cedf4589428ae05d3d2dca1d1bd7fa28f6cafe54a077a6090f873053e04fd5ce   	Trojan.PS1.FICKLESHADE.YXFCR
bb563180196989dcee91417aa56d6f1bfc9320b2427536c200dffcd784774906   	Trojan.PS1.FICKLESHADE.YXFCR
9d2aaa8672d583af4c03c23127d6cac509799a49ff9293ed63628d5b710b7528   	Trojan.PS1.FICKLESHADE.YXFCR
3761060c509b9444bdd3d0e65d7f68e39ff5c52fa87fdc59db02c1553e21e403   	Trojan.PS1.FICKLESHADE.YXFCR
47e4142fa6ab10a2d7dc0423d41f9bdbb3ced0f4fae5c58b673386d11dd8c973   	Trojan.PS1.FICKLESHADE.THLACBD
6b99530953010dd8061a3a328c04c30653bba26439dd30a752262582b0d02933   	Trojan.Win32.FICKLESHADE.YXFCN
045a1cbcc99c53c092bb61d43b89a6f7308fd01d9ceaeb9a72bbf81669dcbef8   	Trojan.Win32.FICKLESHADE.YXFCN
cd301bdc07518027567a5ed242ae2075f9f0bdf73315e99d4d949280f151fefe   	Trojan.PS1.FICKLESHADE.YXFCR
405d1dcdbba56bce99a308734c39ac8ca62ffb55dbd69565293a79b468e4dad1   	Trojan.PS1.FICKLESHADE.YXFCN
f381a3877028f29ec7865b505b5c85ce77d4947d387d3f30071159fa991f009a   	Trojan.PS1.RHADAMANTHYS.YXFCG
b3ed3f2bc5334e54ca8d6020d37da0764f123fa5717638229422bd95a028097b   	Trojan.PS1.FICKLESHADE.YXFCN
ba195a227fb76e8820d6db36cd00c89095b88faf01471fcdd9c0c7de61a63a5d   	Trojan.PS1.FICKLESHADE.YXFCR
af4d26b987093be6b442e655ffdafa8e1542e80f6a47a6895aa523f2f180025c   	Trojan.PS1.FICKLESHADE.YXFCR
cfafc9b2d6cbc65769074bab296c5fbacc676d298f7391a3ff787307eb1cbce0   	Trojan.PS1.FICKLESHADE.YXFCR
86e4115111e88bbaf09fe73cfc8255a4aac64f7ffed4a3229bbc8d626566f0c8   	Trojan.PS1.FICKLESHADE.YXFCN
cd301bdc07518027567a5ed242ae2075f9f0bdf73315e99d4d949280f151fefe   	Trojan.PS1.FICKLESHADE.YXFCR
691087ec9b50022d3e23695c0b41e2927cb4c4825a1f5fd7e2f21ae3465e8973   	Trojan.PS1.FICKLESHADE.YXFCR
e31ce5803bb68222eeac117614ddb92ed3c137bcf129f873d44960ab9d8bab33   	Trojan.PS1.FICKLESHADE.YXFCR

===========================
Related modules
===========================

[Filename]	[SHA256]								[Detection]
ram.ps1		b4f66a5e2876e04db93aae029049a07efed2d6dca05c89c393fe5aba03b949a7 	Trojan.PS1.RHADAMANTHYS.YXFCG.dldr

ram.exe		bad43a1c8ba1dacf3daf82bc30a0673f9bc2675ea6cdedd34624ffc933b959f4 	TrojanSpy.Win32.RHADAMANTHYS.YXFAKZ
		fcfb94820cb2abbe80bdb491c98ede8e6cfa294fa8faf9bea09a9b9ceae35bf3 	TrojanSpy.Win32.RHADAMANTHYS.YXFAWZ

Game Over.html	d639cd267b05b4cd420e4547dd7aa4d99fff2d070598de044c7cf0d1b99cd264	Trojan.JS.RHADAMANTHYS.YXFCU
		5f6dbe487af0fe7d1cf9beca7e31fcd804d6bdfe9a80308d7aeb3ed9abd9bba3	Trojan.JS.RHADAMANTHYS.YXFCU
		ab58281273e7299f86cfadc1c8235789379543339035c5b4d80becd785bad552	Trojan.JS.RHADAMANTHYS.YXFCU

Listener.ps1	22bf8f6a408f59a1a9a1871b2a809851e0e4c0e75ca9ed14867f9bbdcf9363d2	Trojan.JS.KILLMMC.YXFCT

miner.ps1	0ac748baaad6017e331a8d99aae9e5449a96ba76fb7374f5d8c678ae52b7db9f 	Trojan.PS1.FICKLESHADE.YXFCN

tgmes.ps1	6df96984d5ba709282b6c92287262bd81f980811b58b0c03b9b421ba1e580c6b 	Trojan.PS1.FICKLESHADE.YXFCN
		ad95786b2402c6a2cc36a513937a10503aff74e180ea1213cbfe40ca820d3b13 	Trojan.PS1.FICKLESHADE.YXFCN

payload_1.ps1	969c7ee8709a519c4a4878b230d4ba7f81fb9563320b5983f8f1f95d4d215ece 	Trojan.PS1.FICKLESHADE.YXFCR
		20da5e4736a91eb6aa55892d1497c724fb16767da43ccf3227db5c9647bb0793	Trojan.PS1.FICKLESHADE.YXFCN

stub.exe	6b99530953010dd8061a3a328c04c30653bba26439dd30a752262582b0d02933 	Trojan.Win32.FICKLESHADE.YXFCN
		045a1cbcc99c53c092bb61d43b89a6f7308fd01d9ceaeb9a72bbf81669dcbef8 	Trojan.Win32.DROPPER.YXFCN
		97a766db470c44347b65a0bc282582f96a47d96ed8d7946f4da33775d384033a	Trojan.PS1.FICKLESHADE.YXFCN
		b7b72d141ed56c8e5a924dfa959771548883b88e84646150447f85eb97f88e62 	Trojan.PS1.FICKLESHADE.YXFCN
		60f5d8eadaba230b95339011daf4800f81e35ac721bf908f68ed8191388addcb 	Trojan.PS1.FICKLESHADE.YXFCN
		9854322760307c04aacd78f136e4d1496950811ee2f24978915d7cd322ecb36c 	Trojan.PS1.FICKLESHADE.YXFCN

===========================
C&C servers
===========================

[Domain]						[Description]
82[.]115[.]223[.]182					Disease Vector
fuckedserver[.]net					Disease Vector
encrypthub[.]net					Disease Vector
encrypthub[.]org					Disease Vector
Ciphercall[.]net					Disease Vector
cryptolabstudio[.]com					Disease Vector
raw.githubusercontent.com/encrypthub/steal/main/	Disease Vector
skorikjr.github[.]io/sploit/				Disease Vector
raw.githubusercontent[.]com/SkorikJR/			Malware Accomplice