Fake Teams Installer Evades Detection, Targets Enterprise Users

A new cyber campaign is using fake Microsoft Teams installers to infect users with the Oyster backdoor, also known as Broomstick.

Security researchers at Blackpoint SOC are warning that attackers are redirecting Teams search results to fake websites that mimic the original Teams interface. They do this through a combination of SEO poisoning, and malvertising attacks.

“When users searched for “teams download” via search engines, they were presented with a malicious sponsored advertisement that closely mimicked the official Microsoft download portal,” Blackpoint SOC reported.

The ad link directed users to a deceptive installer called ‘MSTeamsSetup.exe’ which presents itself as authentic yet performs harmful operations.

The trojanized installer performs its operations by installing a DLL called ‘CaptureService.dll’ in a random folder under ‘%APPDATA%\Roaming’ and creates a scheduled task to ensure persistence.

Oyster functions as a standard Windows process to execute additional payloads through its operation. These include remote access creation and system information collection.

The campaign mirrors earlier fake PuTTY operations, showing a recurring trend of attackers abusing trusted software brands for initial access. Blackpoint SOC noted, “By attaching a digital signature, threat actors aim to bypass basic trust checks and reduce suspicion from both end users and security controls that flag unsigned executables.”

The Oyster system maintains contact with attacker domains ‘nickbush24[.]com’ and ‘techwisenetwork[.]com’ to achieve long-term stealthy access. The use of well-known software brands and manipulated search results increases the likelihood of successful compromise while evading casual detection.

Organizations are urged to download collaboration tools only from verified Microsoft domains and avoid relying on search engine results.

“Personnel should use bookmarks and verified vendor domains when downloading software and remain vigilant to the fact that even common productivity tools can be abused as vehicles for malware delivery,” Blackpoint SOC advised.

This campaign highlights the ongoing risk of SEO-based attacks combined with commodity malware, demonstrating that even familiar enterprise software can be weaponized against unsuspecting users.