Technology

Fake IT support calls on Microsoft Teams push EtherRAT malware

Bleeping Computer July 06, 2026 1 views
Fake IT support calls on Microsoft Teams push EtherRAT malware

Advertisement

Microsoft Teams
Threat actors are abusing Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing the EtherRAT malware, giving attackers initial access to corporate networks.
The campaign, reported by Palo Alto Networks' Unit 42, combines phishing emails, Microsoft Teams voice calls, legitimate remote management tools, and a Node.js-based malware loader to compromise victims' computers.
According to a
report by Unit 42 posted on GitHub, the attack begins with a phishing email containing an "Employee Survey" lure and a malicious PDF attachment.
Shortly after opening the document, the victim receives a Microsoft Teams voice call from an external account impersonating a "System Administrator."
The researchers observed the Teams session displaying the "External unfamiliar" label, indicating the caller belonged to a different Microsoft 365 tenant than the recipient. Audit logs showed the attacker initiated the external chat using the account helpdesk@Progressive936.onmicrosoft[.]com while posing as IT support.
After convincing the victim to grant remote control via Microsoft Teams' built-in screen-sharing feature, the attacker guided them through installing legitimate remote-access tools, including HopToDesk and AnyDesk.
After establishing remote access, they downloaded and executed a malicious MSI installer (v7.msi) from camorreado[.]click. The MSI acts as a malware loader, downloading a legitimate Node.js runtime, decrypting embedded payloads, and ultimately launching EtherRAT.
EtherRAT is a cross-platform remote access trojan written in Node.js that gives attackers full control over compromised systems.
The malware can execute commands, manipulate files, steal data, and maintain persistence, while using Ethereum smart contracts to retrieve its active command-and-control (C2) server, making it harder to disrupt.
EtherRAT was
previously used in state-sponsored attacks exploiting the React2Shell vulnerability and has since been adopted by numerous other threat actors.
Unit 42 says they discovered an open directory on a distribution server containing multiple versions of the malware installers (v1 through v9), indicating the campaign is actively being developed.
Teams attacks force Microsoft to add new protections
The latest campaign follows a growing number of attacks abusing Microsoft Teams to breach corporate networks.
In March, a
campaign targeted financial and healthcare organizations by flooding victims' inboxes with spam, then contacting them via Microsoft Teams, posing as company IT staff. Victims were tricked into launching Quick Assist sessions that ultimately led to the deployment of the newly documented A0Backdoor malware.
A month later, Microsoft warned that attackers were
increasingly abusing external Microsoft Teams to impersonate helpdesk personnel and convince employees to give them remote access to their devices. Once inside the network, the attackers performed reconnaissance, spread laterally to other devices, and ultimately stole data.
To help defend against these attacks, Microsoft has been adding new protections to Teams.
Earlier this year, the company
added warnings that identify external callers and chats to protect against potential phishing/vishing attacks.
Last week, Microsoft also introduced a new Teams administrator policy that automatically
places suspected third-party bots into the meeting lobby until organizers can manually approve their admission.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now

<small>Source: Bleeping Computer</small>

How did this make you feel?

Advertisement

Category
Technology

Advertisement