A major new threat is targeting everyday computer users by hiding a dangerous program inside what looks like a genuine Microsoft Teams installer. This malicious program, known as Oyster (or sometimes Broomstick), is a backdoor that gives cybercriminals secret, long-term access to a victim’s computer. The security group Blackpoint Cyber’s Advisory Pursuit team is actively watching this widespread campaign and shared its details with Hackread.com.
How the Attack Works
Attackers use a two-part trick in search engines to get users to download their malicious files. First, they use SEO poisoning to make their fake download pages rank high in search results. Second, they use malvertising, which means paying for malicious advertisements that pop up when people search for “Teams download.” After all, many people trust the first few results they see.
If you click one of these fake links, you land on a spoofed website. One of the observed domains was teams-install.top. Once there, you are tricked into downloading a file named MSTeamsSetup.exe.
Further probing revealed that the criminals even signed their fake installers with untrustworthy certificates, issued by companies like 4th State Oy and NRM NETWORK RISK MANAGEMENT INC., to make the file look legitimate and bypass basic security checks. When you run this file, the Oyster backdoor silently installs itself, and the real Microsoft Teams program might also launch to avoid suspicion.
Oyster: The Invisible Spy
Oyster is a versatile malware that establishes Command and Control (C2) communication. For your information, C2 is basically a secret line of contact that lets the attackers send instructions to the compromised machine from their own servers.
The research identified examples of these attacker-controlled servers, such as nickbush24.com or techwisenetwork.com. This remote control allows them to gather information about your system or even deliver more damaging viruses.
To maintain long-term access, the malware also secretly creates a recurring “scheduled task” on the machine, named CaptureService. It is linked to a hidden malicious file, guaranteeing the connection will start up again even after a restart.
It is worth noting that this particular attack has been effective because the malware can blend in easily with normal computer activity, even managing to get past some well-known security programs.
This kind of attack is not new, and, according to Jason Barnhizer, Director of Threat Operations at Blackpoint Cyber, “this activity mirrors earlier fake PuTTY campaigns, underscoring an ongoing trend of adversaries weaponising trusted software brands to gain initial access.”
Blackpoint Cyber researchers strongly advise everyone to download software cautiously. To stay safe, you should always go straight to the official vendor’s website (like Microsoft’s actual domain) or use a saved bookmark, rather than casually clicking on links that appear in search results or advertisements.
