Cybercriminals distribute fake Microsoft Teams installers through malicious ads to deploy Oyster backdoor malware, targeting enterprise collaboration software users.
Cybersecurity researchers have identified a sophisticated campaign where threat actors are using malicious advertisements and search engine optimization poisoning to distribute fake Microsoft Teams installers containing the Oyster backdoor malware.
The campaign targets users searching for legitimate Microsoft Teams downloads through search engines.
When users search for terms like “teams download,” they encounter fraudulent sponsored advertisements that closely mimic official Microsoft download pages.
These malicious ads redirect victims to spoofed websites hosting trojanized installers disguised as legitimate Teams software.
Malicious Distribution Infrastructure
One identified attack domain, teams-install[.]top, served malicious MSTeamsSetup.exe files to unsuspecting users.
The fake installers appear authentic and even include digital signatures from entities like “4th State Oy” and “NRM NETWORK RISK MANAGEMENT INC” to bypass basic security checks and reduce user suspicion.
Upon execution, the malicious installer deploys the Oyster backdoor, also known as Broomstick, a modular multistage malware designed for persistent remote access.
The malware drops a DLL file named CaptureService.dll into a randomly generated folder within the user’s AppData directory.
To maintain persistence, the malware creates a scheduled task called “CaptureService” that regularly executes rundll32.exe to load the malicious DLL.
This technique allows the backdoor to blend into normal Windows system activity while maintaining long-term access to compromised systems.
The Oyster backdoor provides attackers with comprehensive capabilities, including remote system access, host information collection, command and control communications, and the ability to deploy additional payloads.
During this campaign, researchers observed the malware communicating with attacker-controlled domains, including nickbush24[.]com and techwisenetwork[.]com.
This campaign bears a striking resemblance to previous fake PuTTY distribution campaigns, indicating a recurring trend where cybercriminals weaponize trusted software brands to establish initial system access.
By impersonating widely used enterprise collaboration tools, attackers increase their chances of successful infection while maintaining stealth.
Security teams should monitor for several key indicators, including new scheduled tasks named “CaptureService,” rundll32.exe processes loading DLLs from suspicious directories, and network communications to newly registered domains.
Organizations can protect themselves by implementing several security measures: downloading software exclusively from official vendor domains rather than search results, using saved bookmarks for trusted software downloads, deploying allowlisting controls to block unsigned installers, and providing user training on malvertising risks.
The campaign highlights how threat actors continue leveraging user trust in familiar enterprise software and search engine results to lower infection barriers.
By combining malvertising techniques with commodity malware families, attackers create effective attack vectors that evade traditional security controls.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Cybercriminals distribute fake Microsoft Teams installers through malicious ads to deploy Oyster backdoor malware, targeting enterprise collaboration software users.){kind=link}