DarkWisp
DarkWisp is a backdoor malware family associated with the Russia-aligned threat actor Water Gamayun, also tracked as EncryptHub and LARVA-208. Reporting from 2025 links DarkWisp to campaigns exploiting CVE-2025-26633, a Microsoft Management Console security feature bypass dubbed "MSC EvilTwin." In these operations, attackers delivered malicious .msc or installer files, including via phishing and social-engineering lures, to bypass MMC protections and execute code. DarkWisp was observed alongside SilentPrism in attacks attributed to Water Gamayun/EncryptHub, and reporting also lists it among malware variants abused in these campaigns together with EncryptHub stealer, Stealc, and Rhadamanthys. High-confidence reporting describes the broader intrusion outcomes as backdoor installation, credential theft, data exfiltration, persistence, lateral movement, and possible ransomware deployment. Targeted sectors mentioned in the reporting include telecom, finance, defense, and manufacturing, with enterprise and government networks also cited as targets of Water Gamayun activity. Specific DarkWisp-only indicators of compromise are not provided in the content; however, the campaigns referenced include malicious .msc files, PowerShell-based staging, and exploitation of CVE-2025-26633 to install backdoors such as DarkWisp.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Trustwave SpiderLabs said it recently observed an EncryptHub campaign that brings together social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger the infection routine via a rogue Microsoft Console (MSC) file. | Trend Micro in March 2025, uncovering attacks that deliver two backdoors called SilentPrism and DarkWisp.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Trend Micro in March 2025, uncovering attacks that deliver two backdoors called SilentPrism and DarkWisp.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor delivered following exploitation of a Windows zero-day (CVE-2025-26633) via an MSC EvilTwin technique; attributed to Water Gamayun.
DarkWisp is a backdoor malware variant used in campaigns exploiting Microsoft Management Console vulnerabilities.
Named as a possible backdoor/RAT family in Water Gamayun’s arsenal that could be installed by the final loader, though the specific family was not validated in this case.
Backdoor malware deployed after exploitation of CVE-2025-26633, enabling credential theft, lateral movement, and data exfiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.