Russian-linked group EncryptHub is impersonating IT staff on Microsoft Teams, walking victims into remote sessions, then abusing CVE-2025-26633 (“MSC EvilTwin”) to execute rogue .msc consoles and drop Fickle Stealer. Microsoft patched the bug, but unpatched Windows endpoints remain at risk.

A new campaign weaponizes trust in collaboration tools. Attackers pose as IT on Microsoft Teams, coax employees into remote access, and run PowerShell that pulls a loader exploiting CVE-2025-26633 in Microsoft Management Console. The flaw—now added to CISA’s KEV—lets a malicious .msc run when its benign twin is launched. Patch and tighten verification controls immediately.

A social-engineering wave is turning Microsoft Teams into a beachhead. Adversaries masquerade as internal help-desk staff, request remote access, and execute PowerShell that fetches a loader which plants twin .msc files. When mmc.exe opens the legitimate console, Windows loads the attacker’s EvilTwin from the MUIPath directory, handing over code execution.

“Social engineering remains one of the most effective tools… attackers impersonate IT support, gain trust and remote access, and ultimately deploy suspicious tools,” Trustwave SpiderLabs reported. Trustwave

What’s new in this campaign

• Initial access via Teams impersonation. Operators send Teams requests as “IT” and guide the user into a remote session.
• PowerShell loader. Typical first command: powershell.exe -ExecutionPolicy Bypass … Invoke-RestMethod … runner.ps1 | iex, which drops twin .msc files.
• Exploit: CVE-2025-26633 / “MSC EvilTwin”—an MMC security-feature bypass that prioritizes a localized .msc in MUIPath (e.g., en-US) over the benign one. Patched by Microsoft in March 2025; listed by CISA KEV.
• Payloads and tooling. Fickle Stealer for data theft; SilentCrystal (Go loader) abusing Brave Support as a dropper; SOCKS5 backdoor for C2.

Demonstration (defender’s view, not exploit code)

1. The lure: A user accepts a Teams contact from “IT Support.” A remote session starts.
2. Command drop: Attacker runs a single PowerShell line (ExecutionPolicy Bypass) that downloads runner.ps1 from cjhsbam[.]com.
3. EvilTwin setup: The script writes two identically named .msc files; the malicious copy sits in …\System32\en-US (or a mock “C:\Windows␠\System32” with a trailing space), then mmc.exe loads the malicious one first.
4. Post-exploit: Persistence, AES-encrypted tasking over C2, and optional info-stealing via Fickle Steal

Why this works

• Trust channel abuse: Users expect help-desk on Teams; the UI looks familiar. Prior research shows Teams vishing has delivered RATs and ransomware before.
• Living-off-the-land: PowerShell + signed Windows binaries (mmc.exe) keep telemetry subtle.
• Path precedence edge case: The MUIPath lookup lets a malicious localized .msc hijack execution—now patched, but effective on lagging fleets.

“Treat every ‘IT support’ request in Teams as untrusted until proven otherwise. Make users verify out-of-band, and make admins verify the OS. If your estate isn’t patched for CVE-2025-26633, you’re one click away from handing attackers mmc.exe on a silver platter. Block the social angle, patch the technical angle, and hunt for ExecutionPolicy Bypass like your business depends on it—because it does.” — El Mostafa Ouchen

Immediate actions (enterprise)

1) Patch priority

• Deploy March 2025 Windows updates that remediate CVE-2025-26633 across client and server. Validate compliance in WSUS/Intune/ConfigMgr; confirm exposure via MSRC / NVD.

2) Harden Teams trust boundaries

• Restrict External Access to allow-list domains; disable unsolicited chats from unknown tenants.
• Create a help-desk verification policy: no remote control unless the user initiates via the corporate portal/ticket, plus callback via a known internal number. (Microsoft and industry advisories consistently warn about tech-support impersonation.)

3) Detections to turn on today

• PowerShell: alert on -ExecutionPolicy Bypass, Invoke-RestMethod, DownloadString, or Invoke-Expression launched from Teams, Teams.exe child, or interactive sessions.
• MMC/EvilTwin indicators:
  • mmc.exe loading .msc from MUIPath (…\System32\en-US*.msc) or paths with trailing spaces (e.g., C:\Windows␠\System32).
  • Unexpected writes to localized .msc directories.
  • New .msc files followed by immediate mmc.exe execution.

Sample KQL (Microsoft Defender XDR)

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("-ExecutionPolicy Bypass","Invoke-RestMethod","Invoke-Expression","DownloadString")
| summarize count() by DeviceName, InitiatingProcessFileName, ProcessCommandLine, bin(TimeGenerated, 1h)

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "mmc.exe"
| where FolderPath has_any (@@"\System32\en-US\", @"\Windows \System32") // note the space before \System32
| summarize count() by DeviceName, FolderPath, InitiatingProcessCommandLine, bin(TimeGenerated, 1h)

4) Reduce blast radius

• Enforce ASR rules (e.g., block Office/Win32 child processes), Constrained Language Mode where feasible, and Device Control to prevent unauthorized admin tools.
• WDAC/AppLocker: explicitly allow only known-good .msc; deny execution from localized resource folders and user-writable paths.

5) People & process

• Run an awareness micro-module: “Never accept unsolicited remote-access on Teams. Verify via ticket + callback.”
• Table-top a scenario: help-desk impersonation → PowerShell dropper → MMC exploit → C2.

Indicators & context

• Domains/paths seen: cjhsbam[.]com, rivatalk[.]net, safesurf.fastdomain-uoemathhvq.workers.dev; twin .msc technique; AES-tasking over C2; SilentCrystal loader; SOCKS5 backdoor.
• Attribution & scope: EncryptHub (aka LARVA-208 / Water Gamayun) active since 2024; >600 orgs claimed impacted in reporting.

The bigger picture

Abuse of “work-trusted” channels (Teams, Slack, Quick Assist) is now routine in ransomware and stealer operations. Recent cases show Teams vishing setting up RAT installs and “support” sessions that end in domain compromise. The platform isn’t the problem; trust without verification is.

Bottom line

This campaign fuses social engineering with a Windows path-precedence quirk. If you patch CVE-2025-26633, lock down Teams external contact, verify support out-of-band, and hunt for Bypass-heavy PowerShell, you turn a high-probability breach into a blocked pop-up.

One-Page SOC Playbook (Teams “Request Remote Access” abuse)

Detect, contain, and prevent Teams-led social engineering that results in malicious .msc execution and data theft.

1) Patch & Exposure

• Deploy the March 2025 Windows updates addressing CVE-2025-26633 to all supported builds.
• Verify posture via WSUS/Intune/ConfigMgr compliance reports; track exceptions with a 48-hour SLA.

2) Microsoft Teams Guardrails

• External Access: Move to allow-list of trusted tenants; disable unsolicited chats from unknown domains.
• Support workflow: No remote control unless initiated from the corporate portal/ticket, plus callback verification from a published internal number.
• Education: 10-minute module: “Never accept unsolicited remote access.”

3) Detections to Enable (Microsoft Defender XDR – KQL)

A. PowerShell dropper patterns (bypass + web fetch):

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("-ExecutionPolicy Bypass","Invoke-RestMethod","Invoke-Expression","DownloadString","iwr","iex")
| project Timestamp=TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName
| order by Timestamp desc

B. Teams as the launchpad (PowerShell child of Teams):

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where InitiatingProcessFileName has_any ("Teams.exe","ms-teams.exe")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountSid, AccountName
| order by TimeGenerated desc

C. MMC loading suspicious .msc (localized folders / path tricks):

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "mmc.exe"
| where FolderPath has @"\System32\en-US\" or FolderPath has @"\Windows \System32" // note possible trailing space
| project TimeGenerated, DeviceName, FolderPath, InitiatingProcessCommandLine
| order by TimeGenerated desc

D. Unexpected .msc file writes (resource folders):

DeviceFileEvents
| where FileName endswith ".msc"
| where FolderPath has @"\System32\en-US\"
| where InitiatingProcessFileName in~ ("powershell.exe","wscript.exe","cscript.exe")
| project TimeGenerated, DeviceName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc

4) Containment & Hardening

• Isolate device in EDR if any rule above fires + user confirms unsolicited “IT” contact.
• Revoke tokens (AAD sign-ins, OAuth grants) and reset credentials from a known-clean host.
• ASR rules: Block abuse of LOLBins (Office child processes, script abuse); audit → enforce.
• WDAC/AppLocker: Allowlist known-good .msc; deny execution from localized resource folders and user-writable paths.
• PowerShell CLM where feasible; log Script Block/Module events to SIEM.

5) Comms & Aftercare

• Notify impacted users; provide a one-page “verify IT requests” reminder.
• Run retro hunt for the past 30–60 days with the KQL above; export findings for IR.
• Add the scenario to quarterly table-top: Teams impersonation → remote session → PowerShell → MMC hijack.

KPIs: Patch compliance ≥98% within 72h; zero unsolicited remote-access approvals; MDE detections triaged <1h; mean-time-to-isolation <15m.

Sources:

• CyberSecurityNews: Teams impersonation + remote access flow and runner.ps1 details. Cyber Security News
• Trustwave SpiderLabs: technical breakdown (EvilTwin, MUIPath precedence, SilentCrystal, IOCs). Trustwave
• Trend Micro: CVE-2025-26633 “MSC EvilTwin” analysis and Water Gamayun/EncryptHub link. Trend Micro
• NVD/MSRC: CVE-2025-26633 description and references. NVDMicrosoft Security Response Center
• CISA: KEV listing/alert for CVE-2025-26633. CISA
• Fortinet: Fickle Stealer capabilities/background. Fortinet

From permits to youth benefits, the kingdom consolidates e-government portals for residents and the diaspora.

RABAT, Morocco — Morocco’s government is expanding a network of official digital platforms designed to deliver key public services to citizens inside the country and Moroccans living abroad. The centralized portals aim to reduce bureaucracy, cut in-person visits, and make vital documents and applications available online.

Core Platforms for All Citizens

Maroc.ma – The kingdom’s official gateway offers information on state institutions and direct access to a growing list of e-services for residents and expatriates.

Rokhas – A unified digital platform for obtaining building permits, renovation approvals, and business activity licenses without visiting municipal offices.

Chikaya – An online complaint portal allowing citizens to file grievances, submit suggestions, and track responses from public administrations.

Tawtik – An electronic system for notarial transactions, streamlining interactions between notaries, tax offices, and property registries.

Wraqi – A platform to book appointments and request administrative documents such as national ID renewals and certificates, with real-time application tracking.

Idarati – A comprehensive guide to administrative procedures, offering downloadable forms and access to select online services.

Casier Judiciaire – Enables citizens to request criminal record certificates remotely from anywhere in the world, without appearing in court.

Youth-Oriented Services

Pass Jeune – A youth card and mobile app launched by the Ministry of Youth, Culture, and Communication, offering discounts and free access to cultural, sports, and transportation services, as well as housing and training opportunities.

Moutawaa – A national volunteering platform connecting young people to service projects and skill-building programs.

Broader Digital Ecosystem

The portals link to a wide directory of Moroccan ministries and agencies, covering justice, foreign affairs, finance, health, transport, education, agriculture, telecommunications, customs, taxation, intellectual property, logistics, social security, and infrastructure.

The impact: By unifying public services online, Morocco aims to streamline government-citizen interactions, support the needs of Moroccans abroad, and encourage broader adoption of digital tools.

More Info:

From potatoes to paleontology, Morocco posts gains across economy, science, and sport, while DV-2025 visa delays put pressure on applicants.

Morocco’s potato exports surged after a five-year slump, paleontologists uncovered the country’s oldest Turiasaurian teeth in the Middle Atlas, and UIR teamed with Cisco on a new AI & cybersecurity center. Authorities also approved the Amazigh name “Massinissa,” Morocco beat Zambia 3–1 at CHAN, and DV-2025 lottery winners sounded alarms over stalled interviews. FreshPlazaMorocco World News+3Morocco World News+3Morocco World News+3Hespress

The Briefing

Morocco’s news cycle on August 14, 2025 offered a snapshot of a country diversifying—export recovery in agri-food, frontier science with Jurassic-era finds, digital capacity-building through a new AI/cyber hub, and a culture-rights win on Amazigh naming—rounded off by a CHAN victory and visa-processing anxieties for DV-2025 winners. FreshPlazaMorocco World News+3Morocco World News+3Morocco World News+3Hespress

Economy — Potatoes Are Back

After five years of decline, Morocco’s ware-potato exports rebounded to 42,900 tons worth US$14.9 million between July 2024 and May 2025—a 5.7× increase versus the prior season. Analysts credit renewed West African trade links and firmer European demand. The uptick helps farmers and cold-chain logistics while testing resilience ahead of the 2025–26 campaign. FreshPlaza

Explainer takeaway: A stronger potato campaign increases rural incomes and stabilizes supply chains; monitoring fertilizer prices, shipping rates, and weather will indicate whether the rebound is durable.

Science — 160-Million-Year-Old Giants

Researchers identified three dinosaur teeth from the Middle Atlas (El Mers III Formation), marking the oldest evidence of Turiasauria on mainland Africa—a Middle Jurassic lineage previously best known from Iberia. The peer-reviewed study tightens biogeographic links between North Africa and Europe and invites fresh fieldwork in Boulemane province. Morocco World NewsYabiladiResearchGate

Explainer takeaway: Morocco’s Jurassic strata continue to fill global fossil gaps, boosting scientific tourism and training opportunities for local geoscience programs.

Technology — UIR × Cisco Unveil AI & Cybersecurity Center

The International University of Rabat (UIR) and Cisco signed an MoU to create a Cisco EDGE Incubation Center focused on AI and cybersecurity, aligning with Morocco’s Digital 2030 ambitions. The hub aims to link academia, startups, and public services while leveraging Cisco Networking Academy pathways. Morocco World NewsMap NewsMedafrica TimesLinkedIn

Explainer takeaway: Expect new pipelines for SOC talent, secure-cloud skills, and AI safety research—areas where Morocco seeks digital sovereignty and exportable know-how.

Society — A Win for Amazigh Naming Rights

Following an initial refusal, Meknes authorities approved the Amazigh name “Massinissa.” The reversal reflects ongoing normalization of Amazigh names in civil registry practice and reduces administrative friction for families seeking culturally rooted identities. Morocco World NewsHespressFacebook

Explainer takeaway: Documentation shapes access to education, healthcare, and travel; clearer acceptance of Amazigh names streamlines everyday life and affirms linguistic rights.

Sport — CHAN Boost: Morocco 3–1 Zambia

Morocco’s locally based national team defeated Zambia 3–1, strengthening its CHAN 2024 (played in 2025) campaign and securing a quarterfinal berth. Wins at CHAN raise player visibility, support domestic leagues, and can lift transfer valuations for homegrown talent. Hespress

Explainer takeaway: CHAN is a showcase for domestic football systems; Morocco’s result supports the broader talent pipeline from Botola clubs to continental competition.

Migration — DV-2025 Interview Delays

DV-2025 lottery winners in Morocco report stalled interview scheduling at the U.S. Consulate in Casablanca as the September 30, 2025 fiscal-year deadline nears, raising fears that selectees could time out despite “current” case numbers. Civil-society calls urge transparent scheduling and capacity updates. Morocco World News

Explainer takeaway: Diversity Visas are time-bound; absent appointments by the end of the fiscal year, eligibility ends—even for qualified selectees. Applicants should ensure DS-260s are complete and monitor consular notices.

What to Watch Next

• Agri-exports: Does the potato rally carry into Q4 logistics and pricing? FreshPlaza
• Science & tourism: Will new Middle Atlas digs expand fossil trails and museum programs? Morocco World News
• Talent & tech: Can the UIR–Cisco hub seed startups and feed national SOC capacity by 2026? Morocco World News
• Civil registry: Are further Amazigh naming cases resolved consistently across regions? Hespress
• CHAN: Injury management and fatigue as fixtures compress. Hespress
• DV-2025: Any scheduling updates from Casablanca before Sept. 30. Morocco World News