CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Oyster Malware Distributed via Fake Microsoft Teams Installers

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida.

Timeline

  1. 27.09.2025 22:49 1 articles · 2d ago

    Fake Microsoft Teams Installers Push Oyster Malware via Malvertising

    A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

AI-Enhanced Malware Campaign Targeting Multiple Sectors

The AI-enhanced malware campaign, dubbed EvilAI, continues to target organizations globally, with infections confirmed in multiple regions including Europe, the Americas, and the Asia, Middle East, and Africa (AMEA) region. The malware, disguised as legitimate productivity and AI-enhanced apps, has infected hundreds of victims across manufacturing, government, healthcare, technology, and retail sectors. The campaign uses various propagation methods, including newly registered websites, malicious ads, SEO manipulation, and promoted download links on forums and social media. The malware performs extensive reconnaissance, disables security products, and uses obfuscation techniques to avoid detection, acting as an initial access broker for future exploit activity. The campaign, first identified in September 2025, has been observed using AI tools to distribute malware. The malware is concealed within seemingly legitimate apps, leveraging digital signatures and realistic features to evade detection. The threat actors behind the campaign are highly capable, using sophisticated techniques to make the malware appear authentic. The malware uses NeutralinoJS to execute JavaScript code and siphon sensitive data, employing Unicode homoglyphs to bypass detection. The presence of multiple code-signing publishers suggests a shared malware-as-a-service provider or a code-signing marketplace.

Open in new tab