Threat Actors Leverage SEO Poisoning and Malicious Ads to Distribute Backdoored Microsoft Teams Installers

A new campaign is distributing the Oyster (Broomstick) backdoor through trojanized Microsoft Teams installers. Threat actors are using SEO poisoning and malvertising to trick users into downloading fake installers from spoofed websites. The malicious installers deploy a persistent backdoor that enables remote access, gathers system information, and supports additional payload delivery while evading detection. This tactic mirrors earlier fake PuTTY campaigns, showing a trend of abusing trusted software for initial access. The backdoor communicates with attacker-controlled C2 domains and uses DLL sideloading via rundll32.exe for stealthy execution. Organizations are advised to download software only from verified sources and avoid relying on search engine advertisements.

Pulse ID: 68de52ef382d67c8bdc97094
Pulse Link: https://otx.alienvault.com/pulse/68de52ef382d67c8bdc97094
Pulse Author: AlienVault
Created: 2025-10-02 10:24:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #MaliciousAds #Malvertising #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RCE #Rust #SEOPoisoning #SideLoading #Trojan #Troll #bot #AlienVault

Potentially Unwanted Applications (PUAs) weaponized for covert delivery

A malware distribution campaign leveraging digitally signed binaries, deceptive packaging, and browser hijackers has been uncovered. The campaign centers around two malicious applications, ImageLooker.exe and Calendaromatic.exe, delivered via self-extracting 7-Zip archives. These artifacts align with the TamperedChef malware campaign, which uses trojanized productivity tools for initial access and data exfiltration. The malware employs NeutralinoJS framework, Unicode homoglyphs, and multiple digital signers to bypass detection. The campaign exploits user behavior through SEO poisoning and malvertising, masquerading as legitimate software. This sophisticated approach highlights the evolving tactics of threat actors in weaponizing PUAs and abusing digital code signing to evade security measures.

Pulse ID: 68da3d2fbeb1286aa4f67c07
Pulse Link: https://otx.alienvault.com/pulse/68da3d2fbeb1286aa4f67c07
Pulse Author: AlienVault
Created: 2025-09-29 08:02:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #ELF #ICS #InfoSec #Malvertising #Malware #OTX #OpenThreatExchange #RAT #SEOPoisoning #Trojan #ZIP #bot #AlienVault

Fake #Microsoft #Teams installers push #Oyster #malware via #malvertising

https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-installers-push-oyster-malware-via-malvertising/

#cybersecurity #advertising #ads #AdBlocker

It's been a busy 24 hours in the cyber world with updates on nation-state activity, a concerning espionage attempt, new malware campaigns, and a look at the geopolitical tech landscape. Let's dive in:

Dutch Teens Arrested for Russian Espionage Attempt 🚨
- Two 17-year-old Dutch boys were arrested for attempting to spy for Russia, using WiFi sniffer devices near Europol, Eurojust, and the Canadian embassy in The Hague.
- Recruited via Telegram, this incident highlights a concerning trend of foreign adversaries leveraging younger individuals for reconnaissance and potentially more.
- While Europol confirmed no compromise of their systems, it's a stark reminder that even low-tech reconnaissance can be part of sophisticated state-sponsored operations.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/dutch-teens-arrested-for-trying-to-spy-on-europol-for-russia/

Chinese State-Sponsored Espionage Campaigns 🇨🇳
- Recorded Future's Insikt Group detailed a year-long campaign (June 2024 - July 2025) by Chinese state-sponsored group RedNovember (TAG-100, Storm-2077) targeting government, aerospace, defence, and professional services globally.
- RedNovember exploited internet-facing appliances like Ivanti Connect Secure, SonicWall VPN, Cisco ASA, F5 BIG-IP, Palo Alto GlobalProtect, Sophos SSL VPN, and OWA, deploying Go-based Pantegana backdoor, SparkRAT, and Cobalt Strike.
- Separately, new PlugX variants (linked to Lotus Panda/Naikon APT and BackdoorDiplomacy) are hitting Asian telecom and manufacturing, while Mustang Panda (Stately Taurus) continues to use the modular Bookworm malware against ASEAN networks, both relying on DLL side-loading.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/27/rednovember_chinese_espionage/
📰 The Hacker News | https://thehackernews.com/2025/09/china-linked-plugx-and-bookworm-malware.html

Fake Microsoft Teams Installers Push Oyster Malware 🎣
- Threat actors are leveraging malvertising and SEO poisoning to distribute fake Microsoft Teams installers that infect Windows devices with the Oyster backdoor (Broomstick, CleanUpLoader).
- Oyster grants remote access, command execution, and payload deployment capabilities, and has been linked to ransomware operations like Rhysida for initial access.
- The campaign uses code-signed executables and establishes persistence via a scheduled task, underscoring the ongoing effectiveness of social engineering and trusted software impersonation for network breaches.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-installers-push-oyster-malware-via-malvertising/

Alibaba's Global AI Ambitions and Challenges 🌍
- Alibaba has announced a $53 billion investment in global AI infrastructure, including new data centres in Europe, and released its Qwen3-Omni LLM under an Apache 2.0 license.
- The ambitious plan faces significant hurdles, particularly securing high-end GPUs due to US sanctions on Chinese entities, and navigating complex data sovereignty concerns in Europe.
- This move highlights the intensifying global competition in the GenAI space, not just in model development but also in the underlying infrastructure, with geopolitical factors heavily influencing resource availability and market access.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/27/alibaba_ai_drive/

#CyberSecurity #ThreatIntelligence #NationState #APT #Malware #Espionage #Malvertising #AI #Geopolitics #InfoSec #CyberAttack #IncidentResponse

Quick download risks more than just lost time—a fake Microsoft Teams installer can be a hacker’s gateway. Cyber crooks are using deceptive ads and SEO tricks to sneak malware onto your device. Are you sure you're downloading from a safe source?

https://thedefendopsdiaries.com/how-fake-microsoft-teams-installers-spread-malware-what-you-need-to-know-about-malvertising-and-seo-poisoning/

#malvertising
#seopoisoning
#microsoftteams
#oystermalware
#cybersecurityawareness

Vane Viper = a threat actor that is the adtech platform.
⚠️ 1 trillion DNS queries in a year
⚠️ 60K+ domains tied to fraud + malware
⚠️ Linked to PropellerAds & AdTech Holding
This isn’t “bad ads.” It’s infrastructure-level cybercrime hiding under the guise of digital marketing.
Follow @technadu for continuous threat intel + cybercrime insights.

#Cybersecurity #ThreatIntel #DNS #Malware #Privacy #AdFraud #Malvertising #Infosec

⚠️Researchers expose Vane Viper, a massive malvertising network linked to PropellerAds that posed as legitimate adtech while spreading malware and scams on a global scale. 👀

Read: https://hackread.com/vane-viper-malvertising-adtech-global-scams/

#CyberSecurity #Malvertising #Infoblox #VaneViper

Estos son los usos más peligrosos que se puede dar a ChatGPT, según expertos en ciberseguridad 🧐🧐📧🎁 #OpenAI #ChatGPT #phishing #malvertising #SamAltman #malware 🐧 #uiolibre #Ecuador #Perú

https://www.uiolibre.com/estos-son-los-usos-mas-peligrosos-que-se-puede-dar-a-chatgpt-segun-expertos-en-ciberseguridad/