Hackers Abuse Microsoft Teams to Gain Remote Access With PowerShell-based Malware

Cybercriminals are increasingly targeting Microsoft Teams, leveraging the platform’s trusted status in corporate communications to deploy malware and gain control over victim systems. This trend marks a significant shift from traditional email-based phishing attacks, as threat actors now impersonate IT support staff within Teams chats to deceive employees into granting remote access.

Social engineering remains a potent weapon for hackers, and as businesses integrate platforms like Microsoft Teams into their daily operations, attackers have adapted their tactics accordingly. The inherent trust that employees place in internal messaging systems creates a ripe environment for deception.

Recent analyses conducted by Permiso cybersecurity researchers have uncovered a multi-stage attack strategy that begins with a seemingly innocuous message and escalates to the deployment of sophisticated, multifunctional malware.

PowerShell-based Malware via Microsoft Teams

The attack typically initiates with a direct message or call from a newly created or compromised Microsoft Teams account. These accounts are crafted to appear legitimate, often using display names such as “IT SUPPORT ✅” or “Help Desk Specialist” to mimic trusted personnel.

Attackers frequently employ checkmark emojis to simulate a verified status and utilize Microsoft’s onmicrosoft.com domain structure to create an illusion of belonging to the organization.

By posing as IT staff addressing routine issues, the attackers establish rapport with their targets. Once trust is built, they persuade employees to install remote access software like QuickAssist or AnyDesk, under the pretense of providing technical assistance. This crucial step grants the attacker direct access to the user’s machine and the corporate network.

While similar techniques involving remote access tools have been associated with ransomware groups like BlackBasta since mid-2024, these newer campaigns are more straightforward, often bypassing the preliminary mass email campaigns that were common in the past.

The malicious payloads have also diversified, with recent incidents involving the DarkGate and Matanbuchus malware loaders. After securing remote access, the attacker executes a PowerShell command to download the primary malicious payload. This script is complex, designed with capabilities for credential theft, establishing long-term persistence, and remote code execution, according to Permiso.

To evade detection and complicate removal, the malware can designate its own process as “critical,” which would lead to a system crash if terminated. Additionally, it employs a legitimate-looking Windows credential prompt to trick users into entering their passwords, which are subsequently exfiltrated to an attacker-controlled server.

Analysis of the payload’s code has revealed hardcoded encryption keys that link the campaign to a financially motivated threat actor known as Water Gamayun (also referred to as EncryptHub). This group has a history of combining advanced social engineering with custom malware to target English-speaking IT professionals and developers.

To mitigate these risks, employees must be trained to remain vigilant against unsolicited contact, even on trusted internal platforms. All requests for credentials or the installation of remote access software should be independently verified through a known, separate communication channel.

As cyber threats continue to evolve, a comprehensive defense strategy that combines technical safeguards with robust user education is essential to protect organizations from attacks that exploit collaboration tools as vectors for compromise.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates.