216.73.216.86

Threat Actors Leverage SEO Poisoning and Malicious Ads to Distribute Backdoored Microsoft Teams Installers

· Published 02/10/2025 10:24 · Modified 02/10/2025 10:45

Export JSON

Essential information

Published
02/10/2025 10:24
Modified
02/10/2025 10:45
Tags
2025-10-02 broomstick c2 communication dll sideloading malvertising microsoft teams oyster oyster backdoor persistence seo poisoning trojanized installer
Related entities
15 observables, 12 techniques (mitre), 2 malware

Description

A new campaign is distributing the () backdoor through trojanized installers. Threat actors are using and to trick users into downloading fake installers from spoofed websites. The malicious installers deploy a persistent backdoor that enables remote access, gathers system information, and supports additional payload delivery while evading detection. This tactic mirrors earlier fake PuTTY campaigns, showing a trend of abusing trusted software for initial access. The backdoor communicates with attacker-controlled C2 domains and uses via rundll32.exe for stealthy execution. Organizations are advised to download software only from verified sources and avoid relying on search engine advertisements.

External references