{
	"id": "86e3ff4a-f1fc-42e2-ab69-6bafc5d352a1",
	"created_at": "2026-04-06T00:10:55.666063Z",
	"updated_at": "2026-04-10T13:11:35.772385Z",
	"deleted_at": null,
	"sha1_hash": "f38d2716d30ada54aacf423c69567acc2105bf3f",
	"title": "Malicious Teams Installers Drop Oyster Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66866,
	"plain_text": "Malicious Teams Installers Drop Oyster Malware\r\nArchived: 2026-04-05 19:43:11 UTC\r\nThe Blackpoint SOC is tracking a new campaign where threat actors are abusing SEO poisoning and malvertising to lure\r\nusers into downloading a fake Microsoft Teams installer. Victims searching for Teams online are redirected to rogue ads and\r\nfraudulent download pages, where they are offered a malicious MSTeamsSetup.exe instead of the legitimate client. This\r\nactivity closely resembles tactics seen in earlier fake PuTTY campaigns, highlighting a recurring trend of adversaries\r\nweaponizing trusted software brands to gain initial access. \r\nExecution of the fake installer results in the deployment of the Oyster backdoor, also known as Broomstick. Oyster is a\r\nmodular, multistage backdoor that provides persistent remote access, establishes Command and Control (C2)\r\ncommunications, collects host information, and enables the delivery of follow-on payloads. By hiding behind a widely used\r\ncollaboration platform, Oyster is well positioned to evade casual detection and blend into the noise of normal enterprise\r\nactivity. \r\nThis campaign highlights how threat actors are pairing malvertising with commodity malware families to lower the barriers\r\nto infection. By exploiting user trust in familiar enterprise software and search engine results, attackers increase their\r\nchances of successful compromise while maintaining stealthy, long-term access. Organizations should encourage personnel\r\nto use bookmarks and verified vendor domains when downloading software and remain vigilant to the fact that even\r\ncommon productivity tools can be abused as vehicles for malware delivery. \r\nKey Findings \r\nThreat actors are leveraging SEO poisoning and malicious advertisements to trick users into downloading\r\nbackdoored versions of Microsoft Teams from spoofed websites. \r\nThese fake installers mimic the legitimate Teams client but silently deploy a persistent backdoor in the background\r\nwithout user awareness. \r\nThe backdoor, known as Oyster (or Broomstick), enables remote access, gathers system information, and supports\r\ndelivery of additional payloads while evading detection through stealthy execution. \r\nThis activity mirrors tactics seen in earlier fake PuTTY campaigns, demonstrating a continued trend of adversaries\r\nabusing trusted software to establish initial access. \r\nOrganizations should download collaboration and administrative tools only from verified sources, ideally using saved\r\nbookmarks, rather than relying on search engine results. \r\nBlackpoint has observed this killchain bypass some traditional AV/EDR Vendors \r\nObserved Killchain \r\nhttps://blackpointcyber.com/blog/malicious-teams-installers-drop-oyster-malware/\r\nPage 1 of 4\n\nOyster Joins the Call \r\nThe Blackpoint SOC is tracking a new campaign delivering the Oyster backdoor through trojanized Microsoft Teams\r\ninstallers. These malicious installers are being distributed through a combination of SEO poisoning and malvertising,\r\ndesigned to socially engineer users into downloading what appears to be a legitimate version of Microsoft Teams from\r\nspoofed websites. \r\nIn one identified campaign, the malware was delivered from the domain teams-install[.]top When users searched for “teams\r\ndownload” via search engines, they were presented with a malicious sponsored advertisement that closely mimicked the\r\nofficial Microsoft download portal. Clicking on the ad redirected users to the spoofed site, where a file named\r\nMSTeamsSetup.exe was served, masquerading as a legitimate Teams client. \r\nFigure 1: The malicious domain serving the fake Microsoft Teams Installer. \r\nAnalysis of the binaries also revealed that the malicious installers are signed with untrustworthy certificates in an attempt to\r\nappear legitimate. The MSTeamsSetup.exe samples we examined were signed by issuers such as 4th State Oy and NRM\r\nNETWORK RISK MANAGEMENT INC. By attaching a digital signature, threat actors aim to bypass basic trust checks\r\nand reduce suspicion from both end users and security controls that flag unsigned executables.  \r\nExecution of the trojanized installer drops a DLL named CaptureService.dll into a randomly generated folder under\r\n%APPDATA%\\Roaming. It then creates a scheduled task named CaptureService, configured to regularly invoke the\r\nDLL, providing persistence on the host. The scheduled task executes rundll32.exe with CaptureService.dll as its payload,\r\nestablishing the Oyster backdoor.  \r\nThe execution of this trojanized installer results in the following kill chain: \r\nFigure 2: The resulting process tree associated with execution of the trojanized installer. \r\nOyster, also known as Broomstick, is a modular backdoor that enables remote access, system profiling, and deployment of\r\nadditional payloads. Its lightweight execution and use of DLL sideloading via rundll32.exe allow it to blend into normal\r\nWindows activity while maintaining persistence. In this campaign, Oyster was observed communicating with\r\nnickbush24[.]com and techwisenetwork[.]com, attacker controlled C2 domains. \r\nThis activity highlights the continued abuse of SEO poisoning and malicious advertisements to deliver commodity\r\nbackdoors under the guise of trusted software. Much like the fake PuTTY campaigns observed earlier this year, threat actors\r\nare exploiting user trust in search results and well-known brands to gain initial access. To reduce exposure, organizations\r\nhttps://blackpointcyber.com/blog/malicious-teams-installers-drop-oyster-malware/\r\nPage 2 of 4\n\nshould encourage personnel to download collaboration tools only from verified Microsoft domains and avoid reliance on\r\nsearch engine advertisements for critical software. \r\nIndicators of Compromise (IOCs)\r\nMSTeamsSetup.exe   9dc86863e3188912c3816e8ba21eda939107b8823f1afc190c466a7d5ca708d1  \r\nMSTeamsSetup.exe   ac5065a351313cc522ab6004b98578a2704d2f636fc2ca78764ab239f4f594a3  \r\nSetup.exe  512D7EFB22BC59C84683F931D5AD1E1A092791EEFF20B45DF0E37864A95EA4D3 \r\nsetup_v12.8.exe  035945729AD4E4B7C6CE4D5760C5F59BAF35A74CD7EB75EEDC91135F0BAE34FC \r\nCaptureService.dll   d47f28bf33f5f6ee348f465aabbfff606a0feddb1fb4bd375b282ba1b818ce9a  \r\nCaptureService.dll   d46bd618ffe30edea56561462b50eb23feb4b253316e16008d99abb4b3d48a02  \r\nSecurityCore.dll  E764CDE2EC7A245E8C886453783DC1192791B15B34C4A603379DCB5EFFD097D6 \r\nrororordl.dll  C4856A275BDEE556B6E771B27BD59347D97FC5F6404EC8E8D8D75833AB5F7B6B \r\nAds.dll   90b633cacfa185dd912a945f370e14191644ecff1300dbce72e2477171753396  \r\nCaptureService   Malicious Scheduled Task  \r\nteam[.]frywow[.]com   Malvertising Domain  \r\nteams-install[.]icu   Malvertising Domain  \r\nteams-install[.]top   Malvertising Domain  \r\nanydesksoftware[.]net  Malvertising Domain \r\nnickbush24[.]com   Oyster C2  \r\ntechwisenetwork[.]com   Oyster C2  \r\nmaddeehot[.]online   Oyster C2  \r\nserver-na-qc2[.]farsafe[.]net  \r\nOyster C2  \r\nurbangreencorner[.]com  Oyster C2 \r\ngloitch[.]com  Oyster C2 \r\nzephalon[.]com  Oyster C2 \r\ndoctorreportcard[.]com  Oyster C2 \r\n185.28.119[.]166  Oyster C2 \r\n45.86.230[.]127  Oyster C2 \r\n146.19.49[.]226  Oyster C2 \r\n149.56.95[.]175  Oyster C2 \r\nhttps://blackpointcyber.com/blog/malicious-teams-installers-drop-oyster-malware/\r\nPage 3 of 4\n\n185.28.119[.]252  Oyster C2 \r\n45.66.248[.]112   Oyster C2  \r\n54.39.83[.]187   Oyster C2  \r\n185.28.119.228   Oyster C2  \r\n4th State Oy   Malicious Cert Signer  \r\nNRM NETWORK\r\nRISK MANAGEMENT\r\nINC.  \r\nMalicious Cert Signer \r\nManagement\r\nPerformance Auto\r\nService Ltd. \r\nMalicious Cert Signer \r\nRecommendations \r\nDownload software only from official vendor domains and use saved bookmarks instead of relying on search results\r\nor ads. \r\nUse allowlisting or reputation controls to block unsigned or untrusted installers. \r\nMonitor for new scheduled tasks in %APPDATA%, especially ones named CaptureService. \r\nMonitor for rundll32.exe launched by installers or loading DLLs from suspicious directories. \r\nMonitor for newly registered or suspicious domains in network traffic. \r\nTrain users on SEO poisoning and malvertising risks to reduce successful lures. \r\nDATE PUBLISHEDSeptember 26, 2025\r\nAUTHORSam Decker, Nevan Beal\r\nInside the SOC Episode #002, April 7th, 10:00 AM MT\r\nRoadk1ll, a new malware strain is already being observed in the wild.\r\nInside the SOC Episode #002, we’ll break down how it works, along with a real MSP compromise and modern cloud attack\r\npatterns\r\nLive on April 7 at 10:00 AM MT\r\nSave your seat\r\nSource: https://blackpointcyber.com/blog/malicious-teams-installers-drop-oyster-malware/\r\nhttps://blackpointcyber.com/blog/malicious-teams-installers-drop-oyster-malware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blackpointcyber.com/blog/malicious-teams-installers-drop-oyster-malware/"
	],
	"report_names": [
		"malicious-teams-installers-drop-oyster-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434255,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f38d2716d30ada54aacf423c69567acc2105bf3f.pdf",
		"text": "https://archive.orkl.eu/f38d2716d30ada54aacf423c69567acc2105bf3f.txt",
		"img": "https://archive.orkl.eu/f38d2716d30ada54aacf423c69567acc2105bf3f.jpg"
	}
}