Cybersecurity researchers have identified a sophisticated campaign where threat actors are using malicious advertisements and search engine optimization poisoning to distribute fake Microsoft Teams installers containing the Oyster backdoor malware.
The campaign targets users searching for legitimate Microsoft Teams downloads through search engines.
When users search for terms like “teams download,” they encounter fraudulent sponsored advertisements that closely mimic official Microsoft download pages.
These malicious ads redirect victims to spoofed websites hosting trojanized installers disguised as legitimate Teams software.
One identified attack domain, teams-install[.]top, served malicious MSTeamsSetup.exe files to unsuspecting users.
The fake installers appear authentic and even include digital signatures from entities like “4th State Oy” and “NRM NETWORK RISK MANAGEMENT INC” to bypass basic security checks and reduce user suspicion.
Oyster Backdoor Deployment
Upon execution, the malicious installer deploys the Oyster backdoor, also known as Broomstick, a modular multistage malware designed for persistent remote access, as reported by Blackpoint Cyber.
The malware drops a DLL file named CaptureService.dll into a randomly generated folder within the user’s %APPDATA%Roaming directory.
To maintain persistence, the malware creates a scheduled task called “CaptureService” that regularly executes rundll32.exe to load the malicious DLL.
This technique allows the backdoor to blend into normal Windows system activity while maintaining long-term access to compromised systems.
The Oyster backdoor provides attackers with comprehensive capabilities including remote system access, host information collection, command and control communications, and the ability to deploy additional payloads.
During this campaign, researchers observed the malware communicating with attacker-controlled domains including nickbush24[.]com and techwisenetwork[.]com.
This campaign bears striking resemblance to previous fake PuTTY distribution campaigns, indicating a recurring trend where cybercriminals weaponize trusted software brands to establish initial system access.
By impersonating widely-used enterprise collaboration tools, attackers increase their chances of successful infection while maintaining stealth.
Security teams should monitor for several key indicators including new scheduled tasks named “CaptureService,” rundll32.exe processes loading DLLs from suspicious directories, and network communications to newly registered or suspicious domains.
Organizations can protect themselves by implementing several security measures:
- Downloading software exclusively from official vendor domains rather than search results
- Using saved bookmarks for trusted software downloads
- Deploying allowlisting controls to block unsigned or untrusted installers, and providing user training on malvertising and SEO poisoning risks.
The campaign highlights how threat actors continue leveraging user trust in familiar enterprise software and search engine results to lower infection barriers.
By combining malvertising techniques with commodity malware families, attackers create effective attack vectors that can evade traditional security controls.
Security professionals emphasize the importance of user awareness training and technical controls to combat these increasingly sophisticated social engineering attacks targeting enterprise software downloads.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
