A sophisticated malvertising campaign has been targeting organizations through a weaponized Microsoft Teams installer that delivers the dangerous Oyster malware, according to a recent investigation by cybersecurity experts.
The attack demonstrates an alarming evolution in threat actor tactics, combining SEO poisoning, certificate abuse, and living-off-the-land techniques to evade traditional security measures.
The attack was first addressed on September 25, 2025, when Microsoft Defender’s Attack Surface Reduction (ASR) rules successfully blocked suspicious outbound connections from a newly executed file.
This critical intervention prevented what could have been a devastating breach, highlighting the importance of properly configured endpoint protection policies.
The investigation revealed a remarkably fast attack sequence, with victims being redirected from legitimate Bing searches to malicious infrastructure in just 11 seconds—a timeframe far too rapid for manual user interaction, indicating sophisticated automated redirect mechanisms.
The Attack Chain: From Search to Compromise
The threat actors employed a multi-stage approach beginning with malvertising that positioned malicious sites in search results for Microsoft Teams related queries.
Victims searching for Teams downloads were automatically redirected through a carefully constructed chain: Bing Search → team.frywow.com → teams-install.icu.
The malicious domain “teams-install.icu” was specifically crafted to appear as a legitimate Microsoft property, hosted on Cloudflare infrastructure (IP ranges: 104.21.x.x, 172.67.x.x) to leverage the CDN’s trusted reputation.
The domain featured a valid SSL certificate from Google Trust Services, but with an unusually short validity period of just two days (September 24-26, 2025).
What makes this campaign particularly sophisticated is the threat actors’ abuse of legitimate code-signing services. The malicious MSTeamsSetup.exe file was digitally signed with a valid certificate from “KUTTANADAN CREATIONS INC.” using the Microsoft ID Verified CS EOC CA 01 certificate chain.
This certificate had an extremely short lifespan of only two days, representing an emerging threat pattern where attackers obtain legitimate short-lived certificates to bypass signature-based security controls while minimizing the window for certificate revocation.
Security researchers have identified similar certificates being used in related campaigns, including signers such as “Shanxi Yanghua HOME Furnishings Ltd,” suggesting a coordinated operation.
The Oyster Malware Payload
The weaponized installer was designed to deploy a variant of the Oyster backdoor (also known as Broomstick or CleanUpLoader).
This sophisticated malware family is capable of establishing persistent backdoor access, conducting data exfiltration, deploying additional payloads, and potentially facilitating ransomware deployment.
The attack timeline shows the malware attempting to establish command and control communication with nickbush24.com immediately after execution.
However, Microsoft Defender’s ASR rules successfully blocked this critical connection, effectively neutralizing the threat before any damage occurred.
The investigation revealed the use of living-off-the-land techniques, with the malware leveraging legitimate Windows utilities to avoid detection.
At 14:20:21, cleanmgr.exe was observed creating DismHost.exe in temporary folders—a suspicious activity pattern that demonstrates how attackers continue finding creative ways to abuse legitimate system processes.
Organizations should implement several critical detection mechanisms to defend against similar attacks:
Certificate Anomaly Detection is essential, including alerts for executables signed with certificates valid for seven days or less, monitoring for first-seen signers especially for software installers, and tracking certificates issued by “Microsoft ID Verified CS EOC CA 01.”
Network-Based Detection should flag rapid redirects from search engines to newly registered domains, alert on downloads from domains with unusual TLDs like .icu, and monitor connections to Cloudflare IPs immediately following search engine queries.
Key Lessons for Enterprise Security
This incident demonstrates that attackers are continuously evolving their techniques to bypass traditional security measures.
The speed of modern malvertising campaigns—capable of compromising users in under 15 seconds from search to infection—underscores the critical importance of proactive defense measures.
The successful prevention achieved through properly configured ASR rules proves that layered security approaches remain effective against sophisticated threats.
However, organizations cannot rely solely on signature-based detection, as certificate trust is no longer absolute when threat actors can weaponize short-lived certificates to evade security controls.
Enterprise security teams should prioritize implementing behavioral-based detection systems, regularly reviewing and updating ASR rule configurations, and maintaining robust threat intelligence programs to identify emerging attack patterns before they can cause significant damage.
Indicators of Compromise (IOCs)
Here is your data in tabular form:
Domain Indicators
| Indicator | Description |
|---|---|
| teams-install[.]icu | Malicious payload delivery site |
| team[.]frywow[.]com | Redirect/gate infrastructure |
| witherspoon-law[.]com | Redirect/gate infrastructure |
| Nickbush24[.]com | C2 Server |
File Indicators
| Indicator | Description |
|---|---|
| MSTeamsSetup.exe | The name of malicious executable |
| bd6ad2e1b62b2d0994adf322011f2a3afbb14f097efa3cbe741bc4c963e48889 | SHA256 of malicious file |
| KUTTANADAN CREATIONS INC. | Certificate signer |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
