{
	"id": "3f1def6d-e0ca-4ac2-9a43-ad656d575f2a",
	"created_at": "2026-04-06T01:32:06.804998Z",
	"updated_at": "2026-04-10T13:13:00.557354Z",
	"deleted_at": null,
	"sha1_hash": "b0770e0e84ea79d934c47c48012fbcd301cc99a5",
	"title": "Fake Microsoft Teams updates lead to Cobalt Strike deployment",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1399383,
	"plain_text": "Fake Microsoft Teams updates lead to Cobalt Strike deployment\r\nBy Ionut Ilascu\r\nPublished: 2020-11-09 · Archived: 2026-04-06 01:14:20 UTC\r\nRansomware operators are using malicious fake ads for Microsoft Teams updates to infect systems with backdoors that\r\ndeployed Cobalt Strike to compromise the rest of the network.\r\nThe attacks target organizations in various industries, but recent ones focused on the education sector (K-12), which depends\r\non videoconferencing solutions due to Covid-19 restrictions.\r\nFrom infostealer to Cobalt Strike\r\nIn a non-public security advisory seen by BleepingComputer, Microsoft is warning its customers about these FakeUpdates\r\ncampaigns, offering recommendations that would lower the impact of the attack via its Defender ATP service.\r\nhttps://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nFakeUpdates attacks were seen in 2019 delivering DoppelPaymer ransomware. But this year, the malvertising campaigns\r\ndropped WastedLocker and showed technical evolution.\r\nFor instance, they started using signed binaries and various second-stage payloads.\r\nMore recently, the attackers exploited the ZeroLogon (CVE-2020-1472) critical vulnerability to gain admin access to the\r\nnetwork. This occurred via the  SocGholish JavaScript framework, found earlier this year on dozens of hacked newspaper\r\nsites owned by the same company.\r\nPlanting the malicious fake ads that lure unsuspecting users into clicking it to install an update was possible by poisoning\r\nsearch engine results or through malicious online advertisements.\r\nIn at least one attack Microsoft detected, the crooks purchased a search engine ad that caused top results for Teams software\r\nto point to a domain under their control.\r\nClicking on the link downloaded a payload that executed a PowerShell script to retrieve more malicious content. It also\r\ninstalled a legitimate copy of Microsoft Teams on the system to keep victims unaware of the attack.\r\nMicrosoft says that in many cases the initial payload was Predator the Thief infostealer, which sends the attacker sensitive\r\ninformation like credentials, browser, and payment data. Other malware distributed this way includes Bladabindi (NJRat)\r\nbackdoor, and ZLoader stealer.\r\nThe malware also downloaded other payloads, with Cobalt Strike beacons being among them, thus allowing the attacker to\r\ndiscover how they could move laterally across the network.\r\nsource: Microsoft\r\nIn several of the observed attacks, the last stage was detonating file-encrypting malware on the network computers.\r\nMicrosoft is warning that the same patterns seen in the FakeUpdates campaigns using Teams updates as lure were observed\r\nin at least six others, suggesting the same actor behind them. In some variations of the same theme, the attacker used the IP\r\nLogger URL shortening service.\r\nMitigation advice\r\nMicrosoft recommends using web browsers that can filter and block malicious websites (scam, phishing, malware and\r\nexploit hosts) along with using strong, random passwords for local administrators.\r\nLimiting admin privileges to essential users and avoiding domain-wide service accounts that have the same permissions as\r\nan administrator are also on the list of measures that would reduce the impact of an attack.\r\nTo minimize the attack surface, Microsoft recommends blocking executable files that do not meet specific criteria such as\r\nprevalence and age or are outside a regularly maintained trusted list.\r\nBlocking JavaScript and VBScript code from downloading executable content also adds to the defenses of the environment.\r\nhttps://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/\r\nhttps://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/"
	],
	"report_names": [
		"fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439126,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b0770e0e84ea79d934c47c48012fbcd301cc99a5.pdf",
		"text": "https://archive.orkl.eu/b0770e0e84ea79d934c47c48012fbcd301cc99a5.txt",
		"img": "https://archive.orkl.eu/b0770e0e84ea79d934c47c48012fbcd301cc99a5.jpg"
	}
}