A sophisticated cyber campaign is exploiting the trust users place in popular collaboration software, tricking them into downloading a weaponized version of Microsoft Teams to gain remote access to their systems.
Threat actors are using search engine optimization (SEO) poisoning and malicious advertisements to lure unsuspecting victims to fraudulent download pages, a tactic that closely mirrors previous campaigns involving other trusted software.
Blackpoint has identified a new wave of attacks where users searching for “Microsoft Teams download” are presented with malicious ads that redirect them to spoofed websites.
One such domain, teams-install[.]top, has been observed impersonating the official Microsoft download portal, offering a malicious file named MSTeamsSetup.exe.
To appear legitimate, these fake installers are often signed with untrustworthy digital certificates from issuers like “4th State Oy” and “NRM NETWORK RISK MANAGEMENT INC.”. This technique helps bypass basic security checks that flag unsigned software.
Weaponized Microsoft Teams Delivers Oyster Backdoor
Executing the fraudulent installer triggers a multi-stage attack that deploys a persistent backdoor known as Oyster, or Broomstick.
The malware drops a malicious DLL file named CaptureService.dll into the %APPDATA%\Roaming folder and establishes persistence by creating a scheduled task called CaptureService.
This task is configured to run the DLL periodically, ensuring the backdoor remains active even after a system reboot and allowing it to blend in with normal Windows activity.
The Oyster backdoor provides attackers with a strong foothold in the compromised network.
It allows for remote access, collects system information, and establishes communication with command-and-control (C2) servers to exfiltrate data and receive further instructions or payloads.
In this campaign, Oyster has been observed communicating with C2 domains such as nickbush24[.]com and techwisenetwork[.]com, Blackpoint analysis revealed.
This campaign is not an isolated incident but part of a broader trend where cybercriminals weaponize well-known software brands to achieve initial access. The tactics are similar to previous campaigns that distributed fake installers for PuTTY, WinSCP, and Google Chrome.
By leveraging malvertising and SEO poisoning, attackers can effectively target a wide audience, exploiting user trust in both search engines and popular enterprise tools.
The use of the Oyster backdoor is particularly concerning, as it has been linked to ransomware operations like Rhysida, which have used it to infiltrate corporate networks.
This strategy highlights a shift where threat actors are not just relying on phishing emails but are actively poisoning the software supply chain at the user-download level.
The campaign is designed to bypass some traditional antivirus and endpoint detection and response (EDR) solutions, making it a stealthy and dangerous threat.
To mitigate this risk, organizations and individuals are strongly advised to download software exclusively from official vendor websites.
Using saved bookmarks for frequently accessed download pages is recommended over relying on search engine results, especially sponsored advertisements. Vigilance and user education remain critical lines of defense against these evolving social engineering tactics.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
