Lorem Ipsum Malware: Trojanized MS Teams Installers
Essential information
- Published
- 05/05/2026 01:46
- Modified
- 05/05/2026 10:36
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- code-signing abuse microsoft teams multi-stage loader seo poisoning trojanized installers
- Tags
- 2026-05-04 code-signing-abuse microsoft teams multi-stage loader seo poisoning trojanized installers
- Related entities
- 13 indicators, 13 observables, 20 techniques (mitre), 1 malware, 8 others
Description
An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...