Sophisticated Campaign Targets Microsoft Teams Users With Oyster Malware

Cybersecurity researchers have uncovered a cyberattack method that illustrates the growing sophistication of modern malvertising campaigns. This new wave of attacks sees threat actors leverage SEO poisoning techniques and search engine advertisements to lure unsuspecting users into downloading fake Microsoft Teams installers. These deceptive downloads ultimately infect Windows systems with the Oyster backdoor, providing attackers with a foothold inside corporate environments.

Fortunately, Microsoft Defender’s Attack Surface Reduction (ASR) rules prevented the malware from establishing communication with its command-and-control (C2) server, effectively neutralizing the threat before data theft or further payload deployment could occur.

The Oyster backdoor—also referred to by other names such as Broomstick and CleanUpLoader—first surfaced in mid-2023 and has been associated with multiple large-scale intrusion campaigns since its discovery. The backdoor enables attackers to:

• Remotely control infected endpoints: Command-and-control (C2) capabilities allow the execution of arbitrary commands and deployment of additional malware payloads.
• Exfiltrate sensitive data: Files and credentials can be transferred to attacker-controlled infrastructure for further exploitation.
• Establish persistence: The malware is capable of maintaining long-term access even if parts of the infection chain are disrupted.

Over time, Oyster has become a key enabler for ransomware groups such as Rhysida, which have used it to infiltrate corporate networks, escalate privileges, and deploy ransomware payloads.

Conscia’s forensic analysis revealed a highly automated and rapid attack sequence designed for efficiency and evasion.

• Initial Entry Point (September 25, 2025): The attack began when an employee performed a routine search for Microsoft Teams on Bing. Within seconds, the search result led to a malicious redirect chain — from bing.com to team.frywow.com, and finally to teams-install.icu.
• High-Placement Malicious Links: This redirection was likely enabled by either malvertising (malicious ads) or search engine poisoning, ensuring the rogue link appeared prominently in search results to increase user click-through rates.
• Spoofed Microsoft Installer Page: The domain teams-install.icu, hosted on Cloudflare to obscure attribution, closely mimicked Microsoft’s official download page. It delivered a malicious executable named MSTeamsSetup.exe, giving the appearance of legitimacy to unsuspecting users.
• Execution and Detection: Approximately one hour after download, the user executed the file. It masqueraded as a Microsoft Teams installer but instead deployed the Oyster backdoor. The attack was thwarted when Microsoft Defender’s ASR rules blocked its attempt to communicate with its C2 server at nickbush24.com.

One of the most striking elements of this campaign was the use of short-lived but valid code-signing certificates to bypass security defenses.

Legitimacy by Design: The malicious executable was signed by an entity named “KUTTANADAN CREATIONS INC.” using a certificate valid for just two days (September 24–26, 2025).

• Bypass Signature-Based Detection: Traditional security tools often trust signed executables, enabling malware to slip past initial defenses.
• Short Lifespan Evades Revocation: The brief validity period leaves little time for security vendors to analyze, blacklist, and revoke certificates.
• Scalable Automation: Attackers can automate certificate acquisition, malware signing, and distribution across multiple campaigns, each using fresh, legitimate certificates.

Conscia researchers also identified other short-lived certificates from entities like “Shanxi Yanghua HOME Furnishings Ltd”, indicating a coordinated, large-scale operation exploiting certificate trust.

Had the attack not been intercepted, the Oyster backdoor would have granted persistent access to the compromised environment.

This foothold could enable attackers to:

• Steal sensitive corporate data
• Deploy ransomware or additional malware payloads
• Move laterally across the network to compromise more systems

Such capabilities highlight the critical importance of behavior-based detection tools like Microsoft Defender ASR, which can block malicious activity even when attackers use legitimate certificates and services.

This campaign is part of a wider trend where threat actors impersonate popular IT tools—such as PuTTY, WinSCP, and now Microsoft Teams—to exploit IT administrators and power users. These individuals often hold privileged credentials, making them high-value targets for initial access brokers (IABs) and ransomware operators.

Earlier this year, similar campaigns distributed the Oyster backdoor through fake Chrome installers and spoofed PuTTY download pages, illustrating how attackers systematically abuse user trust in:

• Search engine rankings
• Well-known software brands
• Seemingly legitimate code-signing certificates

Given the severity of these attacks, security experts advise organizations and IT administrators to adopt stricter software acquisition and endpoint protection practices, including:

• Download software only from official vendor domains rather than relying on search engine results or advertisements.
• Verify digital signatures and checksums of installers before deployment.
• Block malicious domains and ad networks commonly abused for malware delivery.
• Deploy advanced endpoint detection and response (EDR) tools to identify persistence mechanisms like scheduled tasks or anomalous DLL executions.
• Educate employees about the risks of SEO poisoning and malvertising campaigns, particularly those in IT and administrative roles.

This incident underscores several important cybersecurity lessons:

1. Living-off-the-land Techniques Are Increasing: Attackers now exploit legitimate services (e.g., search engines, cloud hosting, code-signing authorities) to appear trustworthy and evade detection.
2. Digital Certificate Trust Can Be Weaponized: Blind trust in signed binaries is no longer sufficient, as attackers increasingly use valid, short-term certificates for malicious purposes.
3. Speed of Modern Attacks Requires Real-Time Defense: The entire attack chain — from search to attempted C2 connection — unfolded in minutes, proving that traditional signature-based defenses cannot react quickly enough.
4. Behavior-Based Security Controls Are Essential: Tools like ASR rules, which monitor and block suspicious behavior rather than relying solely on file signatures, are critical for preventing rapid, automated compromises.

As Blackpoint researchers note, these incidents demonstrate the ongoing abuse of SEO poisoning and malicious ads to deliver backdoors under the guise of trusted software. By exploiting brand reputation and user trust, attackers gain a cost-effective and scalable method for initial access—one that continues to challenge traditional security defenses.

The neutralization of this attack before data exfiltration or ransomware deployment demonstrates the value of proactive, layered defenses. However, the sophistication of the campaign — particularly its abuse of trusted services and automation — signals an urgent need for organizations to:

• Continuously update endpoint security policies
• Monitor for anomalous behavior in real time
• Reassess the level of trust placed in code-signing certificates

As threat actors evolve, defenders must adapt quickly to protect against campaigns that can compromise systems in seconds using legitimate tools and infrastructure.