CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Oyster Malware Distributed via Fake Microsoft Teams Installers

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware, known as OysterLoader, provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools. In early 2026, OysterLoader evolved with new C2 infrastructure and obfuscation methods, including a multi-stage infection chain and dynamic API resolution to hinder detection and analysis.

Timeline

  1. 16.02.2026 18:15 1 articles · 6h ago

    OysterLoader Evolves with New C2 Infrastructure and Obfuscation

    OysterLoader, a multi-stage malware loader, has evolved with new C2 infrastructure and obfuscation methods. The malware uses a four-stage infection chain, including a packer called TextShell, custom shellcode with a modified LZMA routine, an intermediate downloader, and a core payload deployed as a DLL. The C2 communication process involves a three-step process with dynamically assigned endpoints and non-standard Base64 encoding for JSON communications. The threat actors have shown sustained development efforts, with multiple endpoint revisions between May 2024 and January 2026.

    Show sources
    Open in new tab
  2. 16.10.2025 19:58 3 articles · 4mo ago

    Microsoft Revokes Over 200 Certificates to Disrupt Rhysida Attacks

    Microsoft revoked over 200 certificates used by Vanilla Tempest to sign malicious Teams installers delivering the Oyster backdoor and Rhysida ransomware. The campaign was identified in late September 2025, using SEO poisoning and malvertising to distribute fake Teams installers. The threat actor has been active since at least 2021 and has targeted various sectors, including healthcare. Microsoft Defender Antivirus and Microsoft Defender for Endpoint provide protection and guidance for mitigating this threat.

    Show sources
    Open in new tab
  3. 27.09.2025 22:49 2 articles · 4mo ago

    Fake Microsoft Teams Installers Push Oyster Malware via Malvertising

    The campaign uses domains that mimic Microsoft Teams, such as teams-install[.]top, teams-download[.]buzz, teams-download[.]top, and teams-install[.]run, to distribute fake MSTeamsSetup.exe files that infected victims with the Oyster backdoor.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increase in Stealthy Persistence and Evasion Techniques for Data Extortion

Threat actors are increasingly favoring stealthy persistence and evasion techniques to silently exfiltrate data for extortion. According to Picus Security's Red Report 2026, attackers are blending in with legitimate traffic and operating through trusted processes to stay hidden from network defenders. Process injection remains the top malicious technique, enabling attackers to hide malicious code inside legitimate applications. Additionally, attackers are routing command-and-control (C2) traffic through high-reputation services like OpenAI and AWS to evade detection. The use of 'data encrypted for impact' has dropped by 38% annually, indicating a shift towards silent data exfiltration. The report also highlights sophisticated evasion techniques such as LummaC2 infostealer malware, which uses trigonometry to detect sandbox environments and avoid detonation. Virtualization/sandbox evasion is now the fourth most prevalent MITRE ATT&CK technique observed.

Open in new tab

RedVDS Cybercrime-as-a-Service Disrupted by Microsoft

Microsoft, in coordination with legal partners in the US and UK, has disrupted RedVDS, a cybercriminal subscription service that facilitated phishing and fraud campaigns. RedVDS offered cheap, effective, and disposable virtual computers running unlicensed software, enabling cybercriminals to operate anonymously. The service caused over $40 million in losses in the US alone since March 2025, with nearly 190,000 organizations worldwide affected. RedVDS utilized AI to tailor phishing and business email compromise (BEC) scams, including deepfake videos and voice cloning to impersonate individuals. The disruption involved legal action in the US and UK, supported by international law enforcement, including Europol. Microsoft emphasized the importance of reporting cybercrime to prevent future attacks and protect potential victims. RedVDS operated since 2019 and rented servers from third-party hosting providers across multiple countries. The service was used for various malicious activities, including credential theft, account takeovers, and real estate payment diversion scams. In one month, cybercriminals using RedVDS sent an average of 1 million phishing messages per day to Microsoft customers alone, compromising nearly 200,000 Microsoft accounts over the last four months. RedVDS was advertised as a way to 'increase your productivity and work from home with comfort and ease.' The service was first founded in 2017 and operated on Discord, ICQ, and Telegram. The website was launched in 2019. RedVDS provided a reseller panel to create sub-users and grant them access to manage the servers without having to share access to the main site. The service did not maintain activity logs, making it an attractive choice for illicit use. RedVDS was used to host a toolkit comprising both malicious and dual-use software, including mass spam/phishing email tools, email address harvesters, privacy and OPSEC tools, and remote access tools. RedVDS used a single Windows Server 2022 image to create cloned Windows instances, which were created on demand using Quick Emulator (QEMU) virtualization technology combined with VirtIO drivers. RedVDS's Terms of Service prohibited customers from using the service for sending phishing emails, distributing malware, transferring illegal content, scanning systems for security vulnerabilities, or engaging in denial-of-service (DoS) attacks.

Open in new tab

pkr_mtsi Malware Loader Distributes Diverse Payloads via Malvertising and SEO Poisoning

A versatile Windows packer named pkr_mtsi has been identified as a malware loader used in large-scale malvertising and SEO-poisoning campaigns. First observed on April 24, 2025, it delivers various payloads including Oyster, Vidar, Vanguard Stealer, and Supper. The loader disguises itself as legitimate software installers and leverages fake download sites for distribution. The malware has evolved over the past eight months, incorporating heavier obfuscation, hashed API resolution, and anti-analysis techniques. Despite these changes, its structure provides durable detection opportunities, including predictable errors from invalid protection flags. ReversingLabs (RL) has released a YARA rule to detect all known variants, highlighting the packer's staged architecture and alternate execution paths for DFIR practitioners.

Open in new tab

SantaStealer Malware-as-a-Service Targets Browsers and Crypto Wallets

A new malware-as-a-service (MaaS) named SantaStealer is being advertised on Telegram and hacker forums. Developed by a Russian-speaking actor, it is a rebranded version of BluelineStealer. The malware steals data from browsers, cryptocurrency wallets, and other applications, operating in memory to avoid file-based detection. Despite claims of advanced evasion techniques, samples analyzed by Rapid7 reveal poor operational security and incomplete development. SantaStealer uses 14 data-collection modules to exfiltrate information via a hardcoded C2 endpoint. The malware is not yet fully operational, but its planned distribution methods include ClickFix attacks, phishing, pirated software, and malvertising.

Open in new tab

Russian Threat Actors Target Ukrainian and Polish Organizations with Data-Wiping Malware and LotL Tactics

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations and Poland's power sector using living-off-the-land (LotL) tactics and deploying data-wiping malware. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. In December 2025, Sandworm targeted Poland's power sector with a new wiper malware called DynoWiper, aiming to disrupt the energy infrastructure. The attack, which occurred on December 29 and 30, 2025, targeted two combined heat and power (CHP) plants and a system managing renewable energy sources. The attack was unsuccessful in causing disruption, and Polish authorities attributed it to Russian services. The attack coincided with the tenth anniversary of Sandworm's 2015 attack on Ukraine's power grid. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services. The cyber attack on the Polish power grid in December 2025 was attributed with medium confidence to a Russian state-sponsored hacking group known as ELECTRUM. The attack targeted distributed energy resources (DERs) and affected communication and control systems at combined heat and power (CHP) facilities and systems managing renewable energy systems. ELECTRUM and KAMACITE share overlaps with the Sandworm cluster, with KAMACITE focusing on initial access and ELECTRUM conducting operations that bridge IT and OT environments. The attackers gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site. The attack was opportunistic and rushed, with the hackers attempting to inflict as much damage as possible by wiping Windows-based devices and resetting configurations. The majority of the equipment targeted was related to grid safety and stability monitoring. The coordinated attack on Poland's power grid in late December targeted multiple distributed energy resource (DER) sites across the country, including combined heat and power (CHP) facilities and wind and solar dispatch systems. Although the attacker compromised operational technology (OT) systems damaging "key equipment beyond repair," they failed to disrupt power, totaling 1.2 GW or 5% of Poland’s energy supply. Based on public reports, there are at least 12 confirmed affected sites. However, researchers at Dragos, a critical industrial infrastructure (OT) and control systems (ICS) security company say that the number is approximately 30. Dragos attributes the attack with moderate confidence to a Russian threat actor it tracks as Electrum, which, although it overlaps with Sandworm (APT44), the researchers underline that it is a distinct activity cluster. Electrum targeted exposed and vulnerable systems involved in dispatch and grid-facing communication, remote terminal units (RTUs), network edge devices, monitoring and control systems, and Windows-based machines at DER sites. Electrum successfully disabled communications equipment at multiple sites, resulting in a loss of remote monitoring and control, but power generation on the units continued without interruption. Certain OT/ICS devices were disabled, and their configurations were corrupted beyond recovery, while Windows systems at the sites were wiped. Even if the attacks had been successful in cutting the power, the relatively narrow targeting scope wouldn’t have been enough to cause a nationwide blackout in Poland. However, they could have caused significant destabilization of the system frequency. "Such frequency deviations have caused cascading failures in other electrical systems, including the 2025 Iberian grid collapse," the researchers say. CERT Polska revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) in Poland on December 29, 2025. The attacks were attributed to a threat cluster dubbed Static Tundra, which is linked to Russia's Federal Security Service's (FSB) Center 16 unit. The attacks had a purely destructive objective but did not affect the ongoing production of electricity or the heat supply to end users. The attackers gained access to the internal network of power substations associated with a renewable energy facility to carry out reconnaissance and disruptive activities, including damaging the firmware of controllers, deleting system files, or launching custom-built wiper malware codenamed DynoWiper. In the intrusion aimed at the CHP, the adversary engaged in long-term data theft dating back to March 2025, enabling them to escalate privileges and move laterally across the network. The attackers' attempts to detonate the wiper malware were unsuccessful. The targeting of the manufacturing sector company is believed to be opportunistic, with the threat actor gaining initial access via a vulnerable Fortinet perimeter device. At least four different versions of DynoWiper have been discovered to date. The wiper's functionality involves initializing a pseudorandom number generator (PRNG) called Mersenne Twister, enumerating files and corrupting them using the PRNG, and deleting files. The malware does not have a persistence mechanism, a way to communicate with a command-and-control (C2) server, or execute shell commands, and it does not attempt to hide the activity from security programs. The attack targeting the manufacturing sector company involved the use of a PowerShell-based wiper dubbed LazyWiper that scripts overwrites files on the system with pseudorandom 32-byte sequences to render them unrecoverable. The malware used in the incident involving renewable energy farms was executed directly on the HMI machine. In the CHP plant and the manufacturing sector company, the malware was distributed within the Active Directory domain via a PowerShell script executed on a domain controller. The attacker used credentials obtained from the on-premises environment in attempts to gain access to cloud services, downloading selected data from services such as Exchange, Teams, and SharePoint. The attacker was particularly interested in files and email messages related to OT network modernization, SCADA systems, and technical work carried out within the organizations.

Open in new tab