Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Fake IT support calls on Microsoft Teams push EtherRAT malware

    July 6, 2026

    Phishing poses as big-brand job interview to steal Google accounts

    July 6, 2026

    Vietnam arrests suspects behind HiAnime anime piracy service

    July 6, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»Fake IT support calls on Microsoft Teams push EtherRAT malware
    News

    Fake IT support calls on Microsoft Teams push EtherRAT malware

    adminBy adminJuly 6, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Microsoft Teams

    Threat actors are abusing Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing the EtherRAT malware, giving attackers initial access to corporate networks.

    The campaign, reported by Palo Alto Networks’ Unit 42, combines phishing emails, Microsoft Teams voice calls, legitimate remote management tools, and a Node.js-based malware loader to compromise victims’ computers.

    According to a report by Unit 42 posted on GitHub, the attack begins with a phishing email containing an “Employee Survey” lure and a malicious PDF attachment.

    image

    Shortly after opening the document, the victim receives a Microsoft Teams voice call from an external account impersonating a “System Administrator.”

    The researchers observed the Teams session displaying the “External unfamiliar” label, indicating the caller belonged to a different Microsoft 365 tenant than the recipient. Audit logs showed the attacker initiated the external chat using the account helpdesk@Progressive936.onmicrosoft[.]com while posing as IT support.

    After convincing the victim to grant remote control via Microsoft Teams’ built-in screen-sharing feature, the attacker guided them through installing legitimate remote-access tools, including HopToDesk and AnyDesk.

    After establishing remote access, they downloaded and executed a malicious MSI installer (v7.msi) from camorreado[.]click. The MSI acts as a malware loader, downloading a legitimate Node.js runtime, decrypting embedded payloads, and ultimately launching EtherRAT.

    EtherRAT is a cross-platform remote access trojan written in Node.js that gives attackers full control over compromised systems.

    The malware can execute commands, manipulate files, steal data, and maintain persistence, while using Ethereum smart contracts to retrieve its active command-and-control (C2) server, making it harder to disrupt.

    EtherRAT was previously used in state-sponsored attacks exploiting the React2Shell vulnerability and has since been adopted by numerous other threat actors.

    Unit 42 says they discovered an open directory on a distribution server containing multiple versions of the malware installers (v1 through v9), indicating the campaign is actively being developed.

    Teams attacks force Microsoft to add new protections

    The latest campaign follows a growing number of attacks abusing Microsoft Teams to breach corporate networks.

    In March, a campaign targeted financial and healthcare organizations by flooding victims’ inboxes with spam, then contacting them via Microsoft Teams, posing as company IT staff. Victims were tricked into launching Quick Assist sessions that ultimately led to the deployment of the newly documented A0Backdoor malware.

    A month later, Microsoft warned that attackers were increasingly abusing external Microsoft Teams to impersonate helpdesk personnel and convince employees to give them remote access to their devices. Once inside the network, the attackers performed reconnaissance, spread laterally to other devices, and ultimately stole data.

    To help defend against these attacks, Microsoft has been adding new protections to Teams.

    Earlier this year, the company added warnings that identify external callers and chats to protect against potential phishing/vishing attacks.

    Last week, Microsoft also introduced a new Teams administrator policy that automatically places suspected third-party bots into the meeting lobby until organizers can manually approve their admission.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticlePhishing poses as big-brand job interview to steal Google accounts
    admin
    • Website

    Related Posts

    News

    Phishing poses as big-brand job interview to steal Google accounts

    July 6, 2026
    News

    Vietnam arrests suspects behind HiAnime anime piracy service

    July 6, 2026
    News

    Max severity Adobe ColdFusion flaw now exploited in attacks

    July 6, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202633 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202633 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views
    Our Picks

    Fake IT support calls on Microsoft Teams push EtherRAT malware

    July 6, 2026

    Phishing poses as big-brand job interview to steal Google accounts

    July 6, 2026

    Vietnam arrests suspects behind HiAnime anime piracy service

    July 6, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.