SilentPrism
SilentPrism is a backdoor malware family associated with the Russia-aligned threat actor Water Gamayun, also tracked as EncryptHub and LARVA-208. Reporting from 2025 links SilentPrism to active exploitation of CVE-2025-26633, a Microsoft Management Console security feature bypass dubbed "MSC EvilTwin." In these campaigns, attackers delivered malicious .msc or installer files via phishing and social-engineering lures, including fake IT support interactions, Microsoft Teams contact, and videoconferencing-themed delivery chains. Successful exploitation bypassed MMC protections and enabled arbitrary code execution, after which SilentPrism and other payloads such as DarkWisp were installed.
High-confidence reporting describes the broader intrusion chain as using paired benign and malicious MSC files, PowerShell downloaders, staged archives, and final loaders to establish persistence and deploy backdoors or stealers. SilentPrism has been explicitly identified as one of the backdoors observed in these attacks, and it is also listed among Water Gamayun’s known tooling alongside DarkWisp, EncryptHub, Rhadamanthys, Stealc, and Fickle Stealer in related campaigns. The actor’s operations targeted enterprise and government environments, with additional reporting citing telecom, finance, defense, and manufacturing sectors.
Observed post-exploitation outcomes in the campaigns that delivered SilentPrism included backdoor installation, credential theft, data exfiltration, persistence, and lateral movement; ransomware deployment was also assessed as a possible follow-on activity in some CVE-2025-26633 exploitation. The provided content does not include SilentPrism-specific protocol details or standalone indicators of compromise beyond its repeated identification as a backdoor deployed by Water Gamayun/EncryptHub in MSC EvilTwin-related attacks.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Trustwave SpiderLabs said it recently observed an EncryptHub campaign that brings together social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger the infection routine via a rogue Microsoft Console (MSC) file. | Trend Micro in March 2025, uncovering attacks that deliver two backdoors called SilentPrism and DarkWisp.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Trend Micro in March 2025, uncovering attacks that deliver two backdoors called SilentPrism and DarkWisp.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor delivered following exploitation of a Windows zero-day (CVE-2025-26633) via an MSC EvilTwin technique; attributed to Water Gamayun.
SilentPrism is a backdoor malware variant used in campaigns exploiting Microsoft Management Console vulnerabilities.
Referenced as part of Water Gamayun’s toolkit; likely used for stealthy access/persistence and data theft, but not confirmed as the final payload in this incident.
Backdoor malware installed via exploitation of CVE-2025-26633, used for persistent access and lateral movement.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.