Hackers are currently using a sneaky tactic called SEO poisoning and fake search engine ads to push malicious Microsoft Teams installers. If a victim executes this fake file on a Windows machine, it secretly infects the corporate network with a backdoor known as Oyster, giving attackers initial access.
The Oyster malware (also called Broomstick or CleanUpLoader) has been active since mid-2023 and provides remote access, allowing criminals to run commands, deploy more harmful tools, and steal files. It’s frequently spread through malvertising that impersonates well-known IT applications like PuTTY and WinSCP, and has been used by ransomware gangs, including Rhysida.
In this new campaign, spotted by Blackpoint SOC, the attackers promote a fake website that appears when users search for "Teams download." Although the site's domain, teams-install.top, doesn't mimic Microsoft directly, the page itself looks exactly like the official Microsoft Teams download site. Clicking the link downloads a file named MSTeamsSetup.exe, the correct filename for the legitimate installer.
Stealth and Persistence
The malicious MSTeamsSetup.exe file was code-signed with fake certificates from companies like "4th State Oy" and "NRM NETWORK RISK MANAGEMENT INC" to make it look legitimate. However, when executed, the fake installer drops a malicious DLL file named CaptureService.dll into the user’s %APPDATA%\Roaming folder. To ensure the backdoor remains active, the installer creates a scheduled task, also named "CaptureService," set to run the DLL every 11 minutes, surviving even after the device reboots.
This activity is very similar to previous campaigns involving fake installers for Google Chrome and Microsoft Teams, proving that abusing search results and paid advertisements is still a favored method for breaching corporate networks. Security experts advise IT administrators, who are often targeted for their high-privilege credentials, to only download software from verified, official domains and to avoid clicking on search engine advertisements entirely.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
