Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Fake IT support calls on Microsoft Teams push EtherRAT malware

0
Medium
Malware
Published: 07/06/2026 (07/06/2026, 20:23:45 UTC)
Source: Bleeping Computer

Description

Threat actors are conducting social engineering attacks via Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing EtherRAT malware. The attack starts with a phishing email containing a malicious PDF, followed by a Teams call from an external account posing as IT support. Victims are persuaded to grant remote control and install legitimate remote-access tools, which are then used to deploy a malicious MSI installer that loads EtherRAT. EtherRAT is a Node.js-based remote access trojan that enables attackers to control compromised systems, steal data, and maintain persistence using Ethereum smart contracts for command-and-control. Microsoft has introduced new protections in Teams to help mitigate such attacks. This campaign is actively evolving with multiple malware versions observed.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 20:36:47 UTC

Technical Analysis

This threat involves a multi-stage attack abusing Microsoft Teams voice calls and phishing emails to deliver EtherRAT malware. Attackers send phishing emails with malicious PDFs, then call victims via Teams from external accounts impersonating IT support. They convince victims to grant remote control and install legitimate remote management tools (HopToDesk, AnyDesk). Using these tools, attackers deploy a malicious MSI installer that downloads a Node.js runtime, decrypts payloads, and launches EtherRAT. EtherRAT is a cross-platform remote access trojan written in Node.js that allows full system control, data theft, command execution, and persistence. It uses Ethereum smart contracts to dynamically retrieve its command-and-control server, complicating disruption efforts. The campaign is ongoing with multiple malware versions found on distribution servers. Microsoft has responded by adding external caller warnings and new Teams policies to reduce such attacks.

Potential Impact

Successful exploitation results in attackers gaining initial access to corporate networks via compromised employee systems. EtherRAT provides attackers with full remote control, enabling command execution, file manipulation, data theft, and persistence. The use of legitimate remote management tools and Ethereum smart contracts for C2 complicates detection and mitigation. This can lead to significant data breaches and lateral movement within affected networks.

Mitigation Recommendations

Microsoft has implemented new protections in Teams, including warnings for external callers and chats, and policies to place suspected third-party bots in meeting lobbies for manual approval. Organizations should educate employees to recognize phishing attempts and verify IT support identities independently. Restricting or monitoring remote access tool installations and sessions can reduce risk. Since this is a social engineering attack leveraging legitimate tools, user awareness and strict remote access policies are critical. Patch status is not applicable as this is an attack technique rather than a software vulnerability.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.bleepingcomputer.com/news/security/fake-it-support-calls-on-microsoft-teams-push-etherrat-malware/","fetched":true,"fetchedAt":"2026-07-06T20:36:32.385Z","wordCount":808}

Threat ID: 6a4c11d027e9c797192ecdca

Added to database: 07/06/2026, 20:36:32 UTC

Last enriched: 07/06/2026, 20:36:47 UTC

Last updated: 07/06/2026, 21:38:53 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses