Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Oyster backdoor fake Microsoft Teams installer malvertising activity

Malware Activity
First reported
Last updated
Happening score
H score 28
3 unique sources, 4 articles

Summary

Hide ▲

A malvertising and SEO poisoning campaign tied to Vanilla Tempest is using fake Microsoft Teams installers to deploy the Oyster backdoor on Windows devices and support Rhysida ransomware activity. In late September 2025, attackers steered users searching for “Teams download” to spoofed sites such as teams-install[.]top, teams-download[.]buzz, teams-download[.]top, and teams-install[.]run, where downloads like MSTeamsSetup.exe delivered the malware. Microsoft said the group has used the same operation to enable ransomware and data extortion, and it revoked over 200 certificates tied to the fraudulent installers.

Related Happenings

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

How related: "To disrupt the service, we seized Fox Tempest's website signspace[.]cloud, took offline hundreds of the virtual machines running the operation, and blocked access to a site hosting the underlying code," Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit, said.

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

Open Happening

Microsoft Teams on macOS repeated location-prompt service disruption

Service Disruption
First: 19.05.2026 19:10 Last: 19.05.2026 19:10 Sources 1

About this happening: Microsoft confirmed a **Microsoft Teams on macOS** service disruption that causes **non-dismissible location prompts** for some users, interrupting normal app use for those who en...

Open Happening

KongTuke Microsoft Teams initial access campaign

Campaign
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

Open Happening

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Open Happening

Open-OSS/privacy-filter Hugging Face infostealer activity

Malware Activity
First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...

Open Happening

Timeline

  1. 16.10.2025 19:58 2 articles · 7mo ago

    Microsoft revokes certificates used in Vanilla Tempest Teams installers

    Mitigation Patch Update

    Microsoft revoked over 200 certificates used to sign fake Microsoft Teams installers distributed by Vanilla Tempest, disrupting a malvertising campaign that used lookalike domains and MSTeamsSetup.exe to deliver the Oyster backdoor on Windows devices.

    Show sources
    Open in new tab
  2. 27.09.2025 22:49 3 articles · 8mo ago

    Blackpoint SOC observes fake Microsoft Teams installer campaign

    Initial Disclosure

    Blackpoint SOC observed a malvertising and SEO poisoning campaign that uses search engine advertisements for "Teams download" to steer users to teams-install[.]top, a fake Microsoft Teams download site that serves MSTeamsSetup.exe. The malicious installer is code-signed with certificates from "4th State Oy" and "NRM NETWORK RISK MANAGEMENT INC", drops CaptureService.dll into %APPDATA%\Roaming, and creates a scheduled task named "CaptureService" to execute the DLL every 11 minutes, helping the Oyster backdoor maintain persistence and provide remote access, command execution, additional payload delivery, file transfer, and initial access to corporate networks.

    Show sources
    Open in new tab