Russian-linked group EncryptHub is impersonating IT staff on Microsoft Teams, walking victims into remote sessions, then abusing CVE-2025-26633 (“MSC EvilTwin”) to execute rogue .msc consoles and drop Fickle Stealer. Microsoft patched the bug, but unpatched Windows endpoints remain at risk.

A new campaign weaponizes trust in collaboration tools. Attackers pose as IT on Microsoft Teams, coax employees into remote access, and run PowerShell that pulls a loader exploiting CVE-2025-26633 in Microsoft Management Console. The flaw—now added to CISA’s KEV—lets a malicious .msc run when its benign twin is launched. Patch and tighten verification controls immediately.

A social-engineering wave is turning Microsoft Teams into a beachhead. Adversaries masquerade as internal help-desk staff, request remote access, and execute PowerShell that fetches a loader which plants twin .msc files. When mmc.exe opens the legitimate console, Windows loads the attacker’s EvilTwin from the MUIPath directory, handing over code execution.

“Social engineering remains one of the most effective tools… attackers impersonate IT support, gain trust and remote access, and ultimately deploy suspicious tools,” Trustwave SpiderLabs reported. Trustwave

What’s new in this campaign

• Initial access via Teams impersonation. Operators send Teams requests as “IT” and guide the user into a remote session.
• PowerShell loader. Typical first command: powershell.exe -ExecutionPolicy Bypass … Invoke-RestMethod … runner.ps1 | iex, which drops twin .msc files.
• Exploit: CVE-2025-26633 / “MSC EvilTwin”—an MMC security-feature bypass that prioritizes a localized .msc in MUIPath (e.g., en-US) over the benign one. Patched by Microsoft in March 2025; listed by CISA KEV.
• Payloads and tooling. Fickle Stealer for data theft; SilentCrystal (Go loader) abusing Brave Support as a dropper; SOCKS5 backdoor for C2.

Demonstration (defender’s view, not exploit code)

1. The lure: A user accepts a Teams contact from “IT Support.” A remote session starts.
2. Command drop: Attacker runs a single PowerShell line (ExecutionPolicy Bypass) that downloads runner.ps1 from cjhsbam[.]com.
3. EvilTwin setup: The script writes two identically named .msc files; the malicious copy sits in …\System32\en-US (or a mock “C:\Windows␠\System32” with a trailing space), then mmc.exe loads the malicious one first.
4. Post-exploit: Persistence, AES-encrypted tasking over C2, and optional info-stealing via Fickle Steal

Why this works

• Trust channel abuse: Users expect help-desk on Teams; the UI looks familiar. Prior research shows Teams vishing has delivered RATs and ransomware before.
• Living-off-the-land: PowerShell + signed Windows binaries (mmc.exe) keep telemetry subtle.
• Path precedence edge case: The MUIPath lookup lets a malicious localized .msc hijack execution—now patched, but effective on lagging fleets.

“Treat every ‘IT support’ request in Teams as untrusted until proven otherwise. Make users verify out-of-band, and make admins verify the OS. If your estate isn’t patched for CVE-2025-26633, you’re one click away from handing attackers mmc.exe on a silver platter. Block the social angle, patch the technical angle, and hunt for ExecutionPolicy Bypass like your business depends on it—because it does.” — El Mostafa Ouchen

Immediate actions (enterprise)

1) Patch priority

• Deploy March 2025 Windows updates that remediate CVE-2025-26633 across client and server. Validate compliance in WSUS/Intune/ConfigMgr; confirm exposure via MSRC / NVD.

2) Harden Teams trust boundaries

• Restrict External Access to allow-list domains; disable unsolicited chats from unknown tenants.
• Create a help-desk verification policy: no remote control unless the user initiates via the corporate portal/ticket, plus callback via a known internal number. (Microsoft and industry advisories consistently warn about tech-support impersonation.)

3) Detections to turn on today

• PowerShell: alert on -ExecutionPolicy Bypass, Invoke-RestMethod, DownloadString, or Invoke-Expression launched from Teams, Teams.exe child, or interactive sessions.
• MMC/EvilTwin indicators:
  • mmc.exe loading .msc from MUIPath (…\System32\en-US*.msc) or paths with trailing spaces (e.g., C:\Windows␠\System32).
  • Unexpected writes to localized .msc directories.
  • New .msc files followed by immediate mmc.exe execution.

Sample KQL (Microsoft Defender XDR)

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("-ExecutionPolicy Bypass","Invoke-RestMethod","Invoke-Expression","DownloadString")
| summarize count() by DeviceName, InitiatingProcessFileName, ProcessCommandLine, bin(TimeGenerated, 1h)

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "mmc.exe"
| where FolderPath has_any (@@"\System32\en-US\", @"\Windows \System32") // note the space before \System32
| summarize count() by DeviceName, FolderPath, InitiatingProcessCommandLine, bin(TimeGenerated, 1h)

4) Reduce blast radius

• Enforce ASR rules (e.g., block Office/Win32 child processes), Constrained Language Mode where feasible, and Device Control to prevent unauthorized admin tools.
• WDAC/AppLocker: explicitly allow only known-good .msc; deny execution from localized resource folders and user-writable paths.

5) People & process

• Run an awareness micro-module: “Never accept unsolicited remote-access on Teams. Verify via ticket + callback.”
• Table-top a scenario: help-desk impersonation → PowerShell dropper → MMC exploit → C2.

Indicators & context

• Domains/paths seen: cjhsbam[.]com, rivatalk[.]net, safesurf.fastdomain-uoemathhvq.workers.dev; twin .msc technique; AES-tasking over C2; SilentCrystal loader; SOCKS5 backdoor.
• Attribution & scope: EncryptHub (aka LARVA-208 / Water Gamayun) active since 2024; >600 orgs claimed impacted in reporting.

The bigger picture

Abuse of “work-trusted” channels (Teams, Slack, Quick Assist) is now routine in ransomware and stealer operations. Recent cases show Teams vishing setting up RAT installs and “support” sessions that end in domain compromise. The platform isn’t the problem; trust without verification is.

Bottom line

This campaign fuses social engineering with a Windows path-precedence quirk. If you patch CVE-2025-26633, lock down Teams external contact, verify support out-of-band, and hunt for Bypass-heavy PowerShell, you turn a high-probability breach into a blocked pop-up.

One-Page SOC Playbook (Teams “Request Remote Access” abuse)

Detect, contain, and prevent Teams-led social engineering that results in malicious .msc execution and data theft.

1) Patch & Exposure

• Deploy the March 2025 Windows updates addressing CVE-2025-26633 to all supported builds.
• Verify posture via WSUS/Intune/ConfigMgr compliance reports; track exceptions with a 48-hour SLA.

2) Microsoft Teams Guardrails

• External Access: Move to allow-list of trusted tenants; disable unsolicited chats from unknown domains.
• Support workflow: No remote control unless initiated from the corporate portal/ticket, plus callback verification from a published internal number.
• Education: 10-minute module: “Never accept unsolicited remote access.”

3) Detections to Enable (Microsoft Defender XDR – KQL)

A. PowerShell dropper patterns (bypass + web fetch):

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("-ExecutionPolicy Bypass","Invoke-RestMethod","Invoke-Expression","DownloadString","iwr","iex")
| project Timestamp=TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName
| order by Timestamp desc

B. Teams as the launchpad (PowerShell child of Teams):

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where InitiatingProcessFileName has_any ("Teams.exe","ms-teams.exe")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountSid, AccountName
| order by TimeGenerated desc

C. MMC loading suspicious .msc (localized folders / path tricks):

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "mmc.exe"
| where FolderPath has @"\System32\en-US\" or FolderPath has @"\Windows \System32" // note possible trailing space
| project TimeGenerated, DeviceName, FolderPath, InitiatingProcessCommandLine
| order by TimeGenerated desc

D. Unexpected .msc file writes (resource folders):

DeviceFileEvents
| where FileName endswith ".msc"
| where FolderPath has @"\System32\en-US\"
| where InitiatingProcessFileName in~ ("powershell.exe","wscript.exe","cscript.exe")
| project TimeGenerated, DeviceName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc

4) Containment & Hardening

• Isolate device in EDR if any rule above fires + user confirms unsolicited “IT” contact.
• Revoke tokens (AAD sign-ins, OAuth grants) and reset credentials from a known-clean host.
• ASR rules: Block abuse of LOLBins (Office child processes, script abuse); audit → enforce.
• WDAC/AppLocker: Allowlist known-good .msc; deny execution from localized resource folders and user-writable paths.
• PowerShell CLM where feasible; log Script Block/Module events to SIEM.

5) Comms & Aftercare

• Notify impacted users; provide a one-page “verify IT requests” reminder.
• Run retro hunt for the past 30–60 days with the KQL above; export findings for IR.
• Add the scenario to quarterly table-top: Teams impersonation → remote session → PowerShell → MMC hijack.

KPIs: Patch compliance ≥98% within 72h; zero unsolicited remote-access approvals; MDE detections triaged <1h; mean-time-to-isolation <15m.

Sources:

• CyberSecurityNews: Teams impersonation + remote access flow and runner.ps1 details. Cyber Security News
• Trustwave SpiderLabs: technical breakdown (EvilTwin, MUIPath precedence, SilentCrystal, IOCs). Trustwave
• Trend Micro: CVE-2025-26633 “MSC EvilTwin” analysis and Water Gamayun/EncryptHub link. Trend Micro
• NVD/MSRC: CVE-2025-26633 description and references. NVDMicrosoft Security Response Center
• CISA: KEV listing/alert for CVE-2025-26633. CISA
• Fortinet: Fickle Stealer capabilities/background. Fortinet

What Pegasus actually does

Pegasus is a commercial “mercenary” spyware suite by NSO Group that covertly compromises iOS and Android devices, enabling data theft (messages, photos, tokens), live microphone/camera activation, and location tracking—often without any user action. Independent labs have repeatedly linked infections to zero-click exploit chains (no tap, no click) delivered through system parsers like iMessage / ImageIO and Wallet/PassKit.

“This is not phishing-at-scale; it’s precision exploitation of core parsers that touch your device even when you never tap the message.” — Mobile security researcher summary of zero-click risk, based on Citizen Lab and Project Zero analyses.

How infections happen

1. Targeting & delivery
   • Operator selects a high-value target (journalist, lawyer, official). Payloads arrive via iMessage (e.g., FORCEDENTRY 2021; BLASTPASS 2023) or other channels. In earlier eras, links (SMS/DM) and network-injection on hostile networks were also observed.
2. Exploit chain (parser abuse)
   • Crafted images or containers trigger bugs in ImageIO/Wallet (PassKit) or iMessage’s pipeline, pivoting to kernel-level code execution. (Examples: CVE-2021-30860/FORCEDENTRY; CVE-2023-41064 & CVE-2023-41061/BLASTPASS.)
3. Post-exploit implant
   • Implant establishes C2, escalates privileges, and begins exfiltration. Infrastructure rotates frequently (throwaway domains / short-lived servers) to reduce forensic footprint.
4. Persistence (it depends)
   • Historic Pegasus (2016 “Trident”) used true persistence tricks; later waves often avoid persistence on iOS (cleared by reboot) to lower forensic risk—operators can just re-exploit. On Android, some cases may survive factory reset, hence “replace device” is sometimes advised after confirmed compromise.

Why Apple’s Lockdown Mode matters

For BLASTPASS (2023), Citizen Lab and Apple stated that Lockdown Mode blocks that chain. Lockdown trims high-risk parsers and attachment handling—hugely valuable for at-risk roles.

“Demonstration” (safe): How defenders test & investigate

A) Quick risk-reduction drill (any high-risk iPhone)

1. Update iOS/macOS immediately (enable auto-updates + Rapid Security Responses).
2. Enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode → Turn On).
3. Harden iMessage workflow (minimize unknown senders; limit content previews).
4. Daily reboot is not a fix, but can disrupt non-persistent implants and surface anomalies in logs between reinfection attempts.

B) Basic forensics with MVT (Mobile Verification Toolkit)

This is for defenders on devices you own/manage or with explicit consent.

1. Prepare an iOS backup (unencrypted Finder/iTunes backup).
2. Run MVT against the backup with published indicators (STIX/TI from trusted labs):

# Example (macOS/Linux workstation)
python3 -m pip install mvt-ios
mvt-ios check-backup --iocs path/to/pegasus-indicators.stix2 ./path/to/ios_backup

3. Interpret results: Hits require expert review; absence of hits ≠ clean bill of health. Consider full-device acquisition by a professional lab if you have an Apple threat notification.

C) If you receive an Apple threat notification

• Do not wipe; preserve evidence.
• Move sensitive work to a known-clean device.
• Engage experts/NGOs (e.g., digital security helplines) for MVT-based analysis.
• Keep Lockdown Mode enabled; patch promptly.

Concrete, layered protections (orgs & individuals)

For everyone

• Keep OS/apps current; remove unknown configuration profiles; avoid sideloading.
• Use hardware security keys/app-based 2FA; rotate passwords on a separate, clean device after incidents. (Best practice.)

For high-risk users / orgs

How Pegasus changed over time (key milestones)

• 2016 “Trident”: link-based chain with true persistence on iOS (Lookout/Citizen Lab).
• 2020–2021 “KISMET/Great iPwn/FORCEDENTRY”: large move to zero-click iMessage.
• 2022–2023: multiple iOS 15/16 zero-click chains; BLASTPASS via PassKit images; Lockdown Mode blocks that chain.

“Pegasus turned smartphones into pocket informants. The answer isn’t panic—it’s discipline: patch fast, enable Lockdown Mode for high-risk roles, and use professional forensics rather than guesswork. Treat an Apple threat alert like smoke from a fire alarm—investigate with experts before the evidence disappears.” — El Mostafa Ouchen

TL;DR: What to do right now

• Update and enable Lockdown Mode if you’re high-risk.
• Establish an IR path: preserve evidence, MVT scan, expert help on notification.
• Assume reinfection attempts until patched; don’t rely on “factory reset” (Android may persist; iOS often re-exploited).

Sources for further reading

Citizen Lab on FORCEDENTRY (CVE-2021-30860) and BLASTPASS; Google Project Zero technical deep-dive; CERT-EU CVE brief; Amnesty’s MVT docs; Apple’s mercenary-spyware threat notification guidance. The Citizen LabHelp Net SecurityProject Zerocert.europa.euAmnesty InternationalGitHubmvt-docs.readthedocs.ioApple Support

From August–September 2025, Windows 11 24H2 and Windows Server 2025 drop the legacy engine to simplify the OS and close a long-abused security gap.

Microsoft will remove Windows PowerShell 2.0 in upcoming Windows releases—August 2025 for Windows 11 version 24H2 and September 2025 for Windows Server 2025. The move retires a 14-year-old component that lacks modern defenses like AMSI, script-block logging, and JEA, long exploited via “downgrade” to evade detection

Microsoft is finally pulling the plug on Windows PowerShell 2.0, removing it from Windows 11 (starting with the August 2025 update) and from Windows Server 2025 (starting with the September 2025 update). Insider builds already reflect the change.

“This removal is part of a broader effort to clean up legacy code, reduce the complexity of the PowerShell ecosystem, and improve Windows security.” — Microsoft

Why Microsoft is doing this (the security case)

PowerShell 2.0 predates key defense features that defenders now rely on:

• No AMSI integration (Anti-Malware Scan Interface)
• No script block logging or rich transcription
• No Constrained Language Mode (CLM) or JEA (Just Enough Administration)

Security researchers have repeatedly shown that if PowerShell v2 is present, attackers can downgrade (-Version 2) to sidestep modern controls and logging.

“PowerShell version 2… is not subject to the same restrictions… CLM and AMSI AV integration are not supported… launching with ‘-version 2’ [can] circumvent controls.” — NCC Group

This isn’t theoretical. MITRE ATT&CK highlights monitoring PowerShell EngineVersion and downgrade behavior as part of threat detection for scripting interpreters.

By contrast, Windows PowerShell 5.1 and PowerShell 7.x add deep script-block logging, improved transcription, and better AV/EDR hooks—capabilities Microsoft began rolling out years ago.

Expert Perspective

Cybersecurity expert El Mostafa Ouchen welcomed the decision but cautioned enterprises to be proactive:

“PowerShell 2.0 has been a gift to attackers for years because it offered a built-in way to evade AMSI and logging. Its removal shuts down a dangerous downgrade path, but IT teams must not assume they are safe automatically. They need to audit scripts, migrate to supported versions, and enable advanced logging. Security through removal is only effective if organizations also strengthen their monitoring posture.” — El Mostafa Ouchen

What exactly is changing (the how)

• Timeline:
  • Windows 11, version 24H2: Removal begins with the August 2025 non-security update.
  • Windows Server 2025: Removal begins with the September 2025 security update.
  • Windows Insider: v2 has been absent since July 2025 builds.
• What disappears: The optional “Windows PowerShell 2.0 Engine” feature and its legacy runtime are removed from newer builds; later releases won’t include it at all.
• Fallback behavior: If a script or scheduled task tries to launch powershell.exe -Version 2, Windows will start the default engine (typically PowerShell 5.1) instead—usually maintaining compatibility.

Technical impact and risk

• Security uplift: Eliminates an attacker-favored downgrade path that bypassed AMSI and key logging, improving fidelity of telemetry and EDR detections.
• Operational risk: Legacy installers or tools that try to enable v2 may fail on new builds; update or replace them.
• Server posture: Server 2025 also drops v2, aligning client/server baselines and simplifying hardening guidance.

Migration checklist (for IT and SecOps)

1. Inventory dependencies
   • Get-ScheduledTask | Select-String -InputObject {$_.Actions} -Pattern "-Version 2"
   • Get-ChildItem -Recurse -Include *.ps1,*.cmd,*.bat | Select-String "-Version 2"
2. Review event logs for Event ID 400/403 to identify old engine usage.
3. Migrate to modern engines
   • Port scripts to Windows PowerShell 5.1 or PowerShell 7.x.
4. Turn on the good visibility
   • Enable Script Block Logging (4104), Module Logging (4103), and Transcription via GPO; forward logs to your SIEM.
5. Harden execution
   • Use AMSI-aware AV/EDR, Constrained Language Mode, and JEA for least-privilege administration.
6. Detect downgrade attempts
   • Monitor for powershell.exe -Version 2; treat it as a defense-evasion red flag.

The bigger picture

Microsoft flagged the removal in its Windows Message Center and support notes, emphasizing that PowerShell 2.0 is “over 14 years old” and “lacks many security enhancements of the later versions,” having been deprecated since 2017.

Independent reporting echoed the security rationale and timing, with coverage pointing to the Insider removal in July 2025 and general removal on the August/September cadence.

Bottom line

Removing PowerShell 2.0 shuts a well-known backdoor for stealthy adversaries and compels long-overdue upgrades. For most environments, the change is painless; for the rest, the fix is straightforward: refactor to 5.1/7.x, enable logging, and watch for downgrade attempts.