Cybercriminals Imitate IT Teams to Exploit Microsoft Teams Vulnerabilities for Remote System Access

ByAdmin

The EncryptHub threat group, linked to Russian cybercriminals, has executed a sophisticated social engineering campaign that combines impersonation tactics with technical exploitation to infiltrate corporate networks. Posing as IT support staff, these attackers initiate contact through Microsoft Teams connection requests directed at targeted employees. Once victims accept these requests and establish a remote session, the attackers guide them in executing seemingly legitimate PowerShell commands. However, these commands are designed to download and run malicious scripts, including a PowerShell script named “runner.ps1” from domains controlled by the attackers, such as cjhsbam[.]com. This script exploits a previously unknown Windows vulnerability, CVE-2025-26633, known as “MSC EvilTwin,” which allows the execution of malicious Microsoft Console (.msc) files by manipulating the system’s loading process.

The MSC EvilTwin vulnerability enables the attackers to drop two .msc files with identical names—one legitimate and one malicious—into different directories. When the legitimate file is executed, the system inadvertently loads the malicious version from the MUIPath directory. This exploitation triggers the mmc[.]exe process, which checks for a file with the same name in the MUIPath directory, leading to successful malware execution. Once the malware is installed, it establishes persistence on infected machines and maintains continuous communication with command-and-control servers. The system receives AES-encrypted commands that are decrypted locally and executed via PowerShell, granting the attackers comprehensive remote control. Among the deployed payloads is Fickle Stealer, a PowerShell-based information stealer that extracts sensitive files, harvests system information, and steals cryptocurrency wallet data. EncryptHub, also tracked as LARVA-208 and Water Gamayun, has been active since mid-2024 and has compromised over 618 organisations worldwide, targeting sectors such as Web3 developers and gaming platforms. 

Categories: Cybersecurity Threats, Social Engineering Tactics, Malware Exploitation 

Tags: Social Engineering, Impersonation, Microsoft Teams, Remote Access, Windows Vulnerability, PowerShell, MSC EvilTwin, Malware Execution, Command-and-Control, Information Stealer 

Leave a Reply

Your email address will not be published. Required fields are marked *