On September 25, 2025, Conscia’s Managed Detection and Response team identified a sophisticated malvertising campaign that attempted to compromise enterprise endpoints by distributing a fake Microsoft Teams installer.
The infection chain was uncovered when Microsoft Defender’s Attack Surface Reduction (ASR) rules blocked suspicious outbound traffic, prompting a detailed forensic investigation that revealed automation, SEO poisoning, and certificate abuse.
Malvertising Vector and Automated Redirect Chain
The campaign’s delivery mechanism exploited poisoned search results for Microsoft Teams installers.
A timeline reconstructed by forensic analysts showed an 11-second interval between a Bing search and a connection to the malicious domain teams-install.icu, an interval too brief for manual navigation and indicative of an automated redirect deployed via malvertising.
Initial user queries to Bing were silently forwarded through team.frywow.com before landing on teams-install.icu, where the malware payload was hosted.
Both domains were provisioned on Cloudflare IP ranges, leveraging the CDN’s reputation to facilitate SSL certificates from Google Trust Services that were valid for only two days.
This short certificate lifespan, from September 24 to September 26, minimized exposure to revocation and facilitated rapid campaign turnover.
Certificate Abuse and Living-Off-the-Land Tactics
Upon successful download, the payload, MSTeamsSetup.exe, appeared as a legitimate installer due to a valid digital signature issued to “KUTTANADAN CREATIONS INC.” and chained to the Microsoft ID Verified CS EOC CA 01 root.
The certificate’s two-day lifespan allowed the actor to evade signature-based detections and automated revocation mechanisms.
Additional campaigns in this operation were signed by similarly obscure entities, such as Shanxi Yanghua HOME Furnishings Ltd. and Shanghai Ruikang Decoration Co., suggesting a concerted effort to exploit code-signing services.
Once executed, the malware leveraged living-off-the-land techniques by invoking cleanmgr.exe to spawn DismHost.exe within temporary directories, a behavior consistent with other Oyster backdoor variants.
When the malicious executable attempted to establish a command-and-control connection to nickbush24.com, Defender’s ASR rules intercepted and blocked the network request, preventing backdoor persistence, data exfiltration, and ransomware deployment.
Prevention Strategies and Detection Recommendations
To guard against this evolving threat, organizations should implement detection strategies focusing on certificate anomalies and network behaviors.
Executables signed with certificates valid for seven days or less, particularly those issued by Microsoft ID Verified CS EOC CA 01, should trigger alerts, and first-seen signers must be closely monitored.
Rapid redirects from search engines to newly registered domains, especially those using uncommon top-level domains like .icu, warrant scrutiny. Additionally, outbound connections to Cloudflare IP ranges immediately following search queries should be flagged for further investigation.
Ensuring that ASR policies are configured to block suspicious child processes and network connections by default remains critical to preventing post-execution activities.
This incident illustrates the sophisticated convergence of SEO poisoning, automated redirection, certificate abuse, and living-off-the-land tactics employed by modern threat actors.
By continuously tuning defensive controls, adopting defense-in-depth architectures, and monitoring for certificate anomalies, security teams can effectively neutralize rapid malvertising campaigns and protect their environments from backdoor infections.
Indicators of Compromise (IOCs)
Network Indicators:
| Indicator | Description |
| teams-install[.]icu | Malicious payload delivery site |
| team[.]frywow[.]com | Redirect/gate infrastructure |
| witherspoon-law[.]com | Redirect/gate infrastructure |
| Nickbush24[.]com | C2 Server |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
