{ "name": "Lorem Ipsum Malware: Trojanized MS Teams Installers", "slug": "lorem-ipsum-malware-trojanized-ms-teams-installers", "description": "An emerging threat group is conducting a global SEO-poisoning campaign distributing trojanized Microsoft Teams installers that deploy a multi-stage shellcode loader and backdoor designated Lorem Ipsum. Active since February 2026, the campaign targets users searching for Microsoft Teams across six countries, with confirmed targeting of a US healthcare organization. The operators evolved rapidly from minimally obfuscated test builds to sophisticated loaders featuring substitution cipher decoding, XOR-encrypted shellcode, DLL sideloading, and JFIF-disguised C2 traffic. The malware distinctively abuses letsdiskuss[.]com, a legitimate India-based platform, as a dead-drop resolver for C2 infrastructure. Attackers use validly signed MSI installers with three-day Microsoft ID Verified certificates, NameCheap-registered infrastructure weaponized within hours, and per-victim UUID-tracked callbacks. Development velocity suggests possible LLM-assisted tooling, indicating a well-funded mid-tier criminal actor operating...", "published": "2026-05-04T23:46:53.433000+00:00", "created_at": "2026-05-05T10:36:14.586000+00:00", "modified_at": "2026-05-05T08:36:14+00:00", "created_at_opencti": "2026-05-05T10:36:14.586000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "code-signing abuse", "microsoft teams", "multi-stage loader", "seo poisoning", "trojanized installers" ], "tags": [ "2026-05-04", "code-signing-abuse", "microsoft teams", "multi-stage loader", "seo poisoning", "trojanized installers" ], "related_entities": { "indicators": [ { "id": "c832695d-b1ea-49c4-b1a6-72192661c002", "name": "www.letsdiskuss.com" }, { "id": "5648d4d8-17f6-4ec4-8380-871ec77473ec", "name": "reeeeealy.com" }, { "id": "e3a952d8-fa85-4ea4-82b7-647d5dcea98c", "name": "https://www.letsdiskuss.com/user/dhuahsd12d2752" }, { "id": "0131dcc6-ffc1-4fa5-bbac-dd393e0c013c", "name": "semigoddess.com" }, { "id": "e0f46b8f-1056-4ec1-b6a6-7fb3ac2e440f", "name": "ba5d73ca2c5aced43c7605e5652ba31fc63ca9b1f419ee4b934757c010c60f75" }, { "id": "0fafaf05-c7ef-4f73-8b4e-2b2c6ebaa36f", "name": "biblegodlike.com" }, { "id": "90dbe4e5-e772-49e9-b287-f9c7636356ae", "name": "82ebca8612e203f6d8a2dcdc5e586095ebf94e5e29724ba92cd8bd090df47eb2" }, { "id": "d4fe23ac-5e18-4017-be8e-300cff829b5a", "name": "official-teams-storage.com" }, { "id": "abc32138-4887-4328-99e6-94ec79f770da", "name": "valeurban.com" }, { "id": "229c49f6-7f48-494f-b5a7-3cd60e472cc8", "name": "045b76fa552dbfdfb7e5de66c9c599fe91151384be6a9849ec8965aa7251b818" }, { "id": "8bc3c743-26dc-4bfb-98d6-4016565e75a8", "name": "https://official-teams-storage.com/files_dws_arch/MTSetup_v15.3.71194.msi" }, { "id": "63cf45d9-afd5-4a38-862d-61caed00cea1", "name": "448afbdb6752c86e627d269ea244994d2c072d5110b490232dd7834943b043cb" }, { "id": "03ace08f-3ae3-40fc-af1c-c0ebe46d5442", "name": "graburban.com" } ], "attack_patterns": [ { "id": "79525d9e-3824-4347-a471-7dcea20fd864", "name": "T1583.006" }, { "id": "6a146066-5a78-493c-a26a-133b62c1149e", "name": "T1588.002" }, { "id": "c340d47a-2ea8-41ca-9a0b-a72559b89bbf", "name": "T1584" }, { "id": "d3254e3b-07e6-4420-96e0-2e107ce17712", "name": "T1102.001" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "b9a3b4f8-b9c0-4ed8-bf5e-bf759b9804d6", "name": "T1564" }, { "id": "b8884212-2edd-42ca-81ae-b46c363b3592", "name": "T1608.002" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "29398669-98ed-4766-9dac-f9632f7175ff", "name": "T1518" }, { "id": "6a8eba2e-51b0-4b6e-a733-a581dcbf4806", "name": "T1027.004" }, { "id": "1e043fe4-2413-4b8e-887c-0fe45d095a24", "name": "T1583" }, { "id": "3e7e47ba-d8ad-4aa8-a4fc-1167cec2e125", "name": "T1587.001" }, { "id": "03b1ce63-5c00-48de-90c1-7996e7785bb7", "name": "T1584.006" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "358e04b8-6f65-48b2-a24b-f101bfc6671a", "name": "T1195" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58", "name": "T1562.001" }, { "id": "7d03ac30-b4e0-4ef9-bb23-80667e2c8123", "name": "T1127" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "9c5a20d1-0df9-4e99-bcc5-0b731a78b5d1", "name": "T1608" } ], "malware": [ { "id": "67ed585a-32ea-470a-9da2-3ba2a5b7f909", "name": "Lorem Ipsum", "slug": "lorem-ipsum" } ], "observables": [ { "id": "0b214470-541c-42e0-8dc5-c005fe7a3d0c", "name": "biblegodlike.com" }, { "id": "ba29aa86-da01-46df-ac98-f6fa2bf24040", "name": "official-teams-storage.com" }, { "id": "21d985b5-dd4f-43cf-831b-4a77f630bddb", "name": "valeurban.com" }, { "id": "bcd6bfb3-70ed-43b0-879c-e04f7d60f471", "name": "reeeeealy.com" }, { "id": "f3fee83c-af93-4ca0-ae7f-deef210ed5a7", "name": "semigoddess.com" }, { "id": "45149721-a8d3-4029-874e-aaebdde92689", "name": "graburban.com" }, { "id": "f0c13cbc-8972-43a8-b4f7-108c92555861", "name": "www.letsdiskuss.com" }, { "id": "cd46cc81-74a0-462b-be2a-37211b7b03ca", "name": "https://official-teams-storage.com/files_dws_arch/MTSetup_v15.3.71194.msi" }, { "id": "22bfdd40-831a-4550-bb10-4daeaa7d127e", "name": "https://www.letsdiskuss.com/user/dhuahsd12d2752" }, { "id": "", "name": "ba5d73ca2c5aced43c7605e5652ba31fc63ca9b1f419ee4b934757c010c60f75" }, { "id": "", "name": "82ebca8612e203f6d8a2dcdc5e586095ebf94e5e29724ba92cd8bd090df47eb2" }, { "id": "", "name": "045b76fa552dbfdfb7e5de66c9c599fe91151384be6a9849ec8965aa7251b818" }, { "id": "", "name": "448afbdb6752c86e627d269ea244994d2c072d5110b490232dd7834943b043cb" } ], "others": [ { "id": "", "name": "United States of America" }, { "id": "", "name": "Healthcare" }, { "id": "", "name": "reeeeealy.com" }, { "id": "", "name": "semigoddess.com" }, { "id": "", "name": "biblegodlike.com" }, { "id": "", "name": "official-teams-storage.com" }, { "id": "", "name": "valeurban.com" }, { "id": "", "name": "graburban.com" } ] }, "external_refs": [ { "id": "808d609f-f7fa-4743-8c03-b321781515c8", "standard_id": "external-reference--6efcb9b4-328b-53ca-a02a-0819901f282a", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/69f92fedbdf318f94db2fc63", "hash": null, "external_id": "69f92fedbdf318f94db2fc63", "created": "2026-05-05T10:36:14.486Z", "modified": "2026-05-05T10:36:14.486Z", "createdById": null }, { "id": "15df1232-c3a9-46fe-846b-7c196ea6f70d", "standard_id": "external-reference--83d9d9bf-b647-5aa6-8f59-16442e36c897", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://www.bluevoyant.com/blog/lorem-ipsum-trojanized-microsoft-teams-installers-multi-stage-loader-backdoor", "hash": null, "external_id": null, "created": "2026-05-05T10:36:14.518Z", "modified": "2026-05-05T10:36:14.518Z", "createdById": null } ] }