Hackers have been spotted to promote the installers of fake Microsoft teams using SEO poisoning and search engine advertisements, providing early access to the corporate network, infecting the Windows device with the back door of the oyster.
Ooster malware, also known as Brumics and Clinploder, is a backdoor that first appeared in mid -2023 and has since been associated with several campaigns since then. Malware provides remote access to the attackers to infected equipment, allowing them to execute the command, deploy additional payloads, and transfer files.
Seep usually occurs Spread through Malwarting Campaign It is popular IT tools, such as putty and distinct. Rainmware Operations, Like ricidaMalware is also used to break the corporate network.
Fake Microsoft Teams pushing installer malware
Spotted in a new maltizing and SEO poisoning campaign Blackpoint soThreat actors are promoting a fake site that appears when visitors search for “downloads of teams”.
Source: Blackpoint
While advertisements and domains do not spuffe the domain of Microsoft, they lead a website at the team-install (.) Top that applies Microsoft’s teams download site. Clicking on the download link will download a file name called “Msteamssetup.exe”, which is the same file name used by the official Microsoft Download.
Source: Blackpoint
Malicious msteamssetup.exe (Wirstotal) To add validity to the file to the file, was coded with certificates from “4th State Oi” and “NRM Network Risk Management Inc.”.
However, when executed, the fake installer named a malicious DLL as Capturevis.Wirstotal) %Appdata %\ Roaming Folder.
For perseverance, the installer creates a scheduled task called “capturevis” to execute the DLL every 11 minutes, ensuring that the backdoor is also active on the reboot.
It resembles activity Previous fake Google Chrome and Microsoft Teams Installers This pushed the oyster, highlighting how SEOs remain a popular strategy to dissolve toxicity and malverting corporate networks.
“This activity sheds light on SEO toxicity and constant misuse of malicious advertisements, which conclude the blackpoint,” to distribute the commodity backdoor under the guise of reliable software.
“Like the fake putty campaigns seen earlier this year, threatening actor is exploiting user trusts in search results and famous brands to achieve initial access.”
Since it is a popular goal to achieve access to credentials with high privileges, they are advised to download software from verified domains and avoid clicking on search engine ads.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
