A sophisticated malvertising campaign is using fake Microsoft Teams installers to compromise corporate systems, leveraging poisoned search engine results and abused code-signing certificates to deliver the Oyster backdoor malware.
The attack was neutralized by Microsoft Defender’s Attack Surface Reduction (ASR) rules, which blocked the malware from establishing contact with its command-and-control server.
The multi-stage attack highlights an increasing trend of threat actors using legitimate services to appear trustworthy and evade traditional security measures.
By using short-lived, valid code-signing certificates, the attackers were able to bypass initial signature-based detection and trick systems into trusting the malicious software.
Oyster Malware Via Microsoft Teams Installer
Conscia’s forensic investigation revealed a rapid and automated attack sequence that began with a simple web search.
On September 25, 2025, an employee’s search on Bing for Microsoft Teams led to a malicious redirect. Within just 11 seconds of the initial search, the user was funneled from bing.com through a redirect domain (team.frywow.com) to a malicious site, teams-install.icu.
This rapid redirection points to an automated process, likely driven by a malvertising campaign or a poisoned search engine result that placed the malicious link high in the search rankings.
The domain teams-install.icu was designed to spoof a legitimate Microsoft download page and was hosted on Cloudflare to further mask its malicious intent. Once the user landed on the page, a file named MSTeamsSetup.exe was downloaded.
Roughly an hour later, the file was executed. Although it appeared to be a legitimate installer, it was in fact the Oyster malware. The attack was only stopped when Microsoft Defender’s ASR rules detected and blocked the malware’s attempt to connect to its C2 server at nickbush24.com.
The core of this campaign’s sophistication lies in its abuse of code-signing certificates. The malicious executable was signed by a seemingly legitimate entity named “KUTTANADAN CREATIONS INC.” using a certificate that was valid for only two days, from September 24 to 26, 2025.
This emerging tactic allows threat actors to:
- Bypass Security: Signed files are often trusted by default, evading antivirus and other signature-based checks.
- Minimize Detection: The short lifespan of the certificate reduces the window for security vendors to identify and revoke it.
- Automate Attacks: Attackers can automate the process of obtaining and signing malware with fresh certificates for different campaigns.
Conscia research uncovered other similar short-lived certificates used by signers like “Shanxi Yanghua HOME Furnishings Ltd,” suggesting a larger, well-orchestrated operation.
This incident was neutralized before any data could be exfiltrated or further payloads like ransomware could be deployed. The successful prevention demonstrates that traditional security measures are no longer sufficient. Trust in digital certificates cannot be absolute, and organizations must deploy advanced endpoint protection.
Had the ASR rules not been in place, the Oyster backdoor (also known as Broomstick or CleanUpLoader) would have established persistent access to the compromised system. This would have enabled the attackers to conduct data theft, deploy additional malware, and move laterally across the network.
Key lessons from this attack are clear: attackers are evolving their use of legitimate system tools (“living-off-the-land“), certificate trust is being actively weaponized, and the speed of automated attacks requires robust, behavior-based security controls like ASR to prevent a compromise that can occur in seconds.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
