Código HTML do Conteúdo

Post: Fake Microsoft Teams installers push Oyster malware via malvertising

<div> <div> <p>Hackers have been spotted using SEO poisoning and search engineadvertisements to promote fake Microsoft Teams installers that infect Windows devices with the Oyster backdoor, providing initial access to corporate networks.</p> <p>The Oyster malware, also known as Broomstick and CleanUpLoader, is a backdoor that first appeared in mid-2023 and has since been linked to multiple campaigns. The malware provides attackers with remote access to infected devices, allowing them to execute commands, deploy additional payloads, and transfer files.</p> <p>Oyster is commonly <a href="https://arcticwolf.com/resources/blog/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-trojanized-tools/" rel="nofollow noopener" target="_blank">spread through malvertising campaigns</a> that impersonate popular IT tools, such as Putty and WinSCP.Ransomware operations, <a href="http://go.recordedfuture.com/hubfs/reports/cta-2025-0130.pdf" rel="nofollow noopener" target="_blank">like Rhysida</a>, have also utilized the malware to breach corporate networks.</p> <h2>Fake Microsoft Teams installer pushes malware</h2> <p>In a new malvertising and SEO poisoning campaign spotted by <a href="https://go.recordedfuture.com/hubfs/reports/cta-2025-0130.pdf" rel="nofollow noopener" target="_blank">Blackpoint SOC</a>, threat actors are promoting a fake site that appears when visitors search for &ldquo;Teams download.&rdquo;</p> <div> <p><img decoding="async" alt="Malicious Microsoft Teams download site in Bing" height="202" src="https://datalake.azaeo.com/wp-content/uploads/2025/09/teams-advertisement.jpg" width="922 /&gt;&lt;/div&gt; &lt;p&gt;While the ads and domain do not spoof Microsoft's domain, they lead to a website atteams-install[.]top that impersonates Microsoft's Teams download site. Clicking on the download link would download a file called "></p> <div> <p><img decoding="async" alt="Fake Microsoft Teams site pushing Oyster malware installer" height="600" src="https://datalake.azaeo.com/wp-content/uploads/2025/09/teams-phishing-site.jpg" width="1045 /&gt;&lt;/div&gt; &lt;p&gt;The malicious MSTeamsSetup.exe [&lt;a href=">VirusTotal] was code-signed with certificates from&rdquo;4th State Oy&rdquo; and &ldquo;NRM NETWORK RISK MANAGEMENT INC&rdquo; to add legitimacy to the file.</p> <p>However, when executed, the fake installer dropped a maliciousDLL named CaptureService.dll [<a href="https://www.virustotal.com/gui/file/d47f28bf33f5f6ee348f465aabbfff606a0feddb1fb4bd375b282ba1b818ce9a" rel="nofollow noopener" target="_blank">VirusTotal</a>] into the %APPDATA%Roaming folder.</p> <p>For persistence, the installer creates a scheduled task named&rdquo;CaptureService&rdquo; to execute the DLL every11 minutes, ensuring the backdoor remains active even on reboots.</p> <p>This activity resembles <a href="https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/" rel="nofollow noopener" target="_blank">previous fake Google Chrome and Microsoft Teams installers</a> that pushed Oyster, highlighting how SEO poisoning and malvertising remain a popular tactic for breaching corporate networks.</p> <p>&ldquo;This activity highlights the continued abuse of SEO poisoning and malicious advertisements to deliver commodity backdoors under the guise of trusted software,&rdquo; concludes Blackpoint.</p> <p>&ldquo;Much like the fake PuTTY campaigns observed earlier this year, threat actors are exploiting user trust in search results and well-known brands to gain initial access.&rdquo;</p> <p>As IT admins are a popular target for gaining access to credentials with high privileges, they are advised only to download software from verified domains and to avoid clicking on search engine advertisements.</p> </div> </div> <div> <div> <h5><a href="https://www.bleepingcomputer.com/author/lawrence-abrams/" target="_blank">Lawrence Abrams</a> <span> <a aria-label="Email lawrence.abrams@bleepingcomputer.com" href="https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-installers-push-oyster-malware-via-malvertising/mailto:lawrence.abrams@bleepingcomputer.com" target="_blank"><i aria-hidden="true" title="Email lawrence.abrams@bleepingcomputer.com"></i></a> <a aria-label="Open Author's twitter page" href="https://twitter.com/LawrenceAbrams" rel="noopener" target="_blank"><i aria-hidden="true" title="Open Author's twitter page"></i></a></span></h5> <p> Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence&rsquo;s area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. </p> </div> </div> <h3>You may also like:</h3> </div></div>