SHA256HighVerifiedSignal 97/100
1b3309c7a4c3940eff1e1ab1905641b23ea743c4f11d82107ce36fa1ec2299e9
Location
Russian FederationFirst Seen
Mar 25, 2025
Last Seen
May 29, 2026
Found in 6 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
97%
Signal Score
97 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
6 reports97% confidence
6
Source reports
97%
Confidence score
Category tags
abuseactive scanactive scanningactivexaerospace & defenseaptapt grouparsenalbackdoorbackdoor installationbad reputationbotnetbotnet activitybrute forcec&cc&c communicationcalls-wmichecks-bioscivil servicescode executioncode injectioncommand & controlcommand and controlcommand executioncredential accesscredential stuffingdarkwisepdarkwispdarkwisp malwaredata exfiltrationdata store exposuredata theftdefensedefense contractingdefense logisticsdefense systemsdefense technologydetect-debug-environmentdirectory spoofingdisease vectordistributed attacksdivedll hijackingdll injectiondll sideloadingdomainencrypted communicationencrypthubencrypthub malwareencrypthub stealereurope/asiaexecutable fileexploitexploitationexploitation activityfile-hashfileless malwarefileless malware attackfilesgamaredongamaredon groupgithubgovernment technologyidentity & access exploitationindicatorinfo-stealerinformation stealinginfostealerinfrastructure acquisitionreconnaissanceinjection activityiot securitylateral movementlolbinslolbins usagelong-sleepsmalmalicious powershell activitymalicious provisioning packagemalicious provisioning packagesmalicious softwaremalwaremalware deliverymalware: darkwispmalware: encrypthub stealermalware: rhadamanthysmalware: silentprismmalware: stealcmicrosoft management consolemilitary operationsmmcmobile threatmsc eviltwinmsc eviltwin exploitmsc eviltwin techniquemsc file exploitationmuipathmuipath abusemuipath attacknational securitynetwork probingoperating systempalestine, state ofpayload deliverypayload executionphishingpowershellpowershell executionpowershell scriptingprocess injectionps1public administrationpublic infrastructurepublic policyransomwarereconnaissanceregulatory agenciesrelatedremote accessremote code executionresearchedrhadamanthys stealerrussiarussian federationscripting attackssigned binary abusesigned msisilent prismsilent prism campaignsilentprismsilentprism backdoorsourcestealcstealc stealerstealert1003t1003.001t1005t1016t1021t1021.001t1027t1027.002t1027.003t1036t1041t1047t1053t1053.005t1055t1055.001t1056t1057t1059t1059.001t1059.003t1059.005t1068t1069.001t1070t1071t1071.001t1071.004t1078t1082t1083t1086t1102t1105t1113t1124t1132t1133t1134t1136t1140t1189t1190t1195t1195.001t1202t1203t1204t1204.002t1213t1218.007t1222t1486t1496t1499.002t1499.003t1543t1547t1547.001t1547.005t1550.002t1550.003t1555t1558t1562.001t1565t1566t1566.001t1567t1569.002t1573t1574t1574.001t1583.001t1584.003t1587.001t1588t1588.002t1590.001t1592t1595t1595.001t1595.002t1595.003t1598threat actortor nodetrojan spytrojan spywaretrojan spyware deploymenttrojanspyvulnerability scanwater gamayunwater gamayun aptwindowswindows msc fileszero-day exploitzero-day exploitationzero-day vulnerability
Activity Timeline
May 29May 29
Threat Activity Heatmap
· Peak: 2026-05-29LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
97
SIGNAL
Signal Score
97%
Confidence
6
Reports
First seenMar 25, 2025
Last seenMay 29, 2026
Verified IOC
VirusTotal
Not checked
WHOIS
- references
- https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html, https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
highFirst detected 1 year ago · Last seen 16 days ago
Appeared in 6 threat reports