Fake Microsoft Teams Installers Spread Oyster Malware via Malvertising

Cybersecurity researchers have uncovered a new campaign where hackers use SEO poisoning and malicious ads to spread the Oyster backdoor by disguising it as a Microsoft Teams installer. The campaign lures users searching for “Teams download” to a fake website, teams-install[.]top, which mimics Microsoft’s official site.

Clicking the download link delivers a file named MSTeamsSetup.exe, identical to Microsoft’s legitimate filename, but embedded with malware. To appear credible, attackers code-signed the file with certificates from “4th State Oy” and “NRM NETWORK RISK MANAGEMENT INC.”

When executed, the fake installer drops a malicious CaptureService.dll into the %APPDATA%\Roaming folder. Persistence is achieved by creating a scheduled task named CaptureService, which triggers the DLL every 11 minutes, ensuring the backdoor survives system reboots.

Fake Microsoft Teams installer pushes malware

In a new malvertising and SEO poisoning campaign spotted by Blackpoint SOC, threat actors are promoting a fake site that appears when visitors search for "Teams download."

While the ads and domain do not spoof Microsoft's domain

The Oyster malware (also known as Broomstick or CleanUpLoader) has been active since 2023, enabling attackers to execute commands, deploy additional payloads, and exfiltrate data. It has been linked to ransomware groups like Rhysida, often spread via fake installers of popular IT tools like PuTTY and WinSCP.

Fake Microsoft Teams site pushing Oyster malware installer
Source: Blackpoint

Security experts warn that this reflects ongoing abuse of SEO poisoning and malvertising. IT admins are urged to download software only from verified domains and avoid search engine ads to prevent compromise.