{ "id": "a8e22fb5-b310-4d3e-97cb-3f8de8859bb5", "created_at": "2026-04-06T01:30:16.683698Z", "updated_at": "2026-04-10T03:23:51.484929Z", "deleted_at": null, "sha1_hash": "fb677c30beef156b7a07a9a19a09efd9fd98465e", "title": "Oyster Malware Delivery via Teams Fake App - Malasada Tech", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 666343, "plain_text": "Oyster Malware Delivery via Teams Fake App - Malasada Tech\r\nBy By Aaron Samala\r\nPublished: 2025-09-28 · Archived: 2026-04-06 00:41:20 UTC\r\nTL;DR\r\nOyster malware delivery via MS Teams Fake App.\r\nTactical Pause\r\nTHE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO\r\nNOT REFLECT THOSE OF MY EMPLOYER OR ANY AFFILIATED ORGANIZATIONS. ALL RESEARCH,\r\nANALYSIS, AND WRITING ARE CONDUCTED ON MY PERSONAL TIME AND USING MY OWN\r\nPERSONALLY-ACQUIRED RESOURCES. ANY REFERENCES, TOOLS, OR SOFTWARE MENTIONED\r\nHERE ARE LIKEWISE USED INDEPENDENTLY AND ARE NOT ASSOCIATED WITH, ENDORSED, OR\r\nFUNDED BY MY EMPLOYER.\r\nIntro\r\nOyster malware is being delivered via an MS Teams Fake App. This will not cover what Oyster malware is, or its\r\nhistory. This will cover the delivery, and it will cover some of the execution indicators. The intended audience for\r\nthis is Thruntellisearch analysts – that is threat hunt/intelligence/research analysts. This will include links to\r\nhIGMA and SIGMA rules to hunt internally and externally.\r\nInitial Lead\r\nThe initial lead for this was a post by David Kasabji (@roo7cause) on X [1]. The Conscia link has more details\r\n[2].\r\nhttps://malasada.tech/oyster-malware-delivery-via-teams-fake-app/\r\nPage 1 of 10\n\nI used the teams-install[.]icu indicator that David provided. urlscan has a scan task available for analysis [3].\r\nhttps://malasada.tech/oyster-malware-delivery-via-teams-fake-app/\r\nPage 2 of 10\n\nThe main transaction to look for is the download-script.js. Note: sometimes the filename has numbers after\r\n“download-script”.\r\nThe response shows the value we want is stored in the apiUrls variable [4]. The snip below shows the apiUrls\r\nvalue and the checkUrlAvailability function. I observed the apiUrls domain provides a decoy response if the\r\nOPTIONS method and the application/json Content-Type header isn’t set.\r\nhttps://malasada.tech/oyster-malware-delivery-via-teams-fake-app/\r\nPage 3 of 10\n\nThe next part will request the /create/link route. It will check if the apiUrls domain is available. When it is\r\navailable, it will create a POST request with the “msteams” Content-Encoding header added. When it receives the\r\ndownload URL, it will add it as an anchor to the DOM, it will click the anchor, and then it will remove the link\r\nfrom the DOM.\r\nI found a similar MS Teams Masq site (teams-install[.]top) and ran it in Any Run [5]. The urlApi variable was\r\neastridge-infotech[.]com. Here are the transactions below.\r\nFirst there’s the OPTIONS request to the /create/link route with the application/json Content-Type header. There\r\nwere two of them. The first one is below.\r\nhttps://malasada.tech/oyster-malware-delivery-via-teams-fake-app/\r\nPage 4 of 10\n\nNext is the POST request shown below. It shows the route to download the malware is\r\n“/gov/e59b6d89b90dd6dbbe3aa3ac163eea3d659e952bac6a6bf65b99e40157cb95f5”.\r\nThe snip below shows the request for the malware from the downloadUrl. The filename is “MSTeamsSetup.exe”.\r\nhttps://malasada.tech/oyster-malware-delivery-via-teams-fake-app/\r\nPage 5 of 10\n\nExecution\r\nAny Run flags it as “oyster”. It creates the scheduled task “CaptureService”.\r\nhttps://malasada.tech/oyster-malware-delivery-via-teams-fake-app/\r\nPage 6 of 10\n\nBeacon\r\nAny Run shows MSTeamsSetup.exe connects to nickbush24[.]com.\r\nThe first request is a GET request to the /reg route using “WordPressAgent” as the User-Agent value. The\r\nresponse body is success.\r\nThe second request is a GET request to the /login route using “FingerPrint” as the User-Agent value. The response\r\nis some kind of encoded or encrypted value.\r\nThe scheduled task was to run rundll32.exe. Any Run shows rundll32.exe communicate with\r\ntechwisenetwork[.]com.\r\nhttps://malasada.tech/oyster-malware-delivery-via-teams-fake-app/\r\nPage 7 of 10\n\nIt first makes a GET request to the /api/kcehc route. The response is just curly brackets.\r\nIt next makes a POST request to the /api/kcehc route with content in the request body. The response is some kind\r\nof encoded or encrypted response.\r\nFinally, there are multiple POST requests to the /api/jgfnsfnuefcnegfnehjbfncejfh route. The request and response\r\nappear to have encoded or encrypted content in the body.\r\nhttps://malasada.tech/oyster-malware-delivery-via-teams-fake-app/\r\nPage 8 of 10\n\nSummary\r\nOyster malware is being delivered via MS Teams Fake App.\r\nIndicators\r\nteams-download[.]buzz\r\nteams-download[.]icu\r\nteams-download[.]top\r\nteams-install[.]icu\r\nteams-install[.]top\r\nteams-install[.]run\r\neastridge-infotech[.]com\r\nwitherspoon-law[.]com\r\ntechwisenetwork[.]com\r\ndatadrivendreamers[.]com\r\ncybersavvynetwork[.]com\r\ndaringdatadaredevils[.]com\r\nfunkyfirmware[.]com\r\n185.28.119[.]228\r\n51.222.96[.]108\r\n51.222.96[.]69\r\n135.125.241[.]45\r\n85.239.53[.]66\r\nhttps://malasada.tech/oyster-malware-delivery-via-teams-fake-app/\r\nPage 9 of 10\n\nPivots\r\nThe following pivots are written in hIGMA [https://github.com/MalasadaTech/hIGMA/tree/main].\r\nPivot on the title to find the masq pages:\r\nhttps://github.com/MalasadaTech/hIGMA/blob/main/rules/fake-msteams-to-deliver-oyster.yaml\r\nPivot on the domain registration and hosting info to find the delivery domains (apiUrls).\r\nhttps://github.com/MalasadaTech/hIGMA/blob/main/rules/fake-msteams-installer-delivery-domains.yaml\r\nPivot on the response hash to find Oyster Malware C2:\r\nhttps://github.com/MalasadaTech/hIGMA/blob/main/rules/oyster-malware-c2-via-response-hash.yaml\r\nDetections\r\nThe SIGMA rules to detect these activities are listed here:\r\nhttps://github.com/MalasadaTech/sigma/tree/main/rules/20250928-oyster-malware-delivered-via-teams-fakeapp.\r\nReferences\r\n1 - https://x.com/roo7cause/status/1971453273862176887\r\n2 - https://conscia.com/blog/from-seo-poisoning-to-malware-deployment-malvertising-campaign-uncovered/\r\n3 - https://urlscan.io/result/0199811b-9f6b-7783-a214-978680e2ab76/\r\n4 - https://urlscan.io/responses/291973f004fcaa78e053a33a99b2bb0b09cb80d9e972aa26d0b5715c75eef64a/\r\n5 - https://app.any.run/tasks/6d3e33b3-bfcc-4084-9d6a-70b0e594d43e\r\nwith planny aloha mahalo for your time\r\nPost navigation\r\nSource: https://malasada.tech/oyster-malware-delivery-via-teams-fake-app/\r\nhttps://malasada.tech/oyster-malware-delivery-via-teams-fake-app/\r\nPage 10 of 10\n\n https://malasada.tech/oyster-malware-delivery-via-teams-fake-app/ \nExecution \nAny Run flags it as “oyster”. It creates the scheduled task “CaptureService”.\n Page 6 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://malasada.tech/oyster-malware-delivery-via-teams-fake-app/" ], "report_names": [ "oyster-malware-delivery-via-teams-fake-app" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439016, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb677c30beef156b7a07a9a19a09efd9fd98465e.pdf", "text": "https://archive.orkl.eu/fb677c30beef156b7a07a9a19a09efd9fd98465e.txt", "img": "https://archive.orkl.eu/fb677c30beef156b7a07a9a19a09efd9fd98465e.jpg" } }