MSC EvilTwin Exploit File Dropped

Rule Info

Name
MSC EvilTwin Exploit File Dropped
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the creation of .msc files in suspicious directories such as 'C:\Windows \System32', which could indicate an EvilTwin exploit (CVE-2025-26633) attempt. In this attack, the threat actor manipulates .msc files and the Multilingual User Interface Path (MUIPath) to execute malicious msc payload.
Reference
https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html
Date
2025-03-27 00:00:00
Modified
None
Id
f73cf795-33c2-4cd8-aa8a-cb1908ffce9f
Tags
attack.execution attack.t1204.002 cve.2025-26633
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022