Fake IT support calls on Microsoft Teams push EtherRAT malware
Threat actors are conducting social engineering attacks via Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing EtherRAT malware. The attack starts with a phishing email containing a malicious PDF, followed by a Teams call from an external account posing as IT support. Victims are persuaded to grant remote control and install legitimate remote-access tools, which are then used to deploy a malicious MSI installer that loads EtherRAT. EtherRAT is a Node.js-based remote access trojan that enables attackers to control compromised systems, steal data, and maintain persistence using Ethereum smart contracts for command-and-control. Microsoft has introduced new protections in Teams to help mitigate such attacks. This campaign is actively evolving with multiple malware versions observed.
AI Analysis
Technical Summary
This threat involves a multi-stage attack abusing Microsoft Teams voice calls and phishing emails to deliver EtherRAT malware. Attackers send phishing emails with malicious PDFs, then call victims via Teams from external accounts impersonating IT support. They convince victims to grant remote control and install legitimate remote management tools (HopToDesk, AnyDesk). Using these tools, attackers deploy a malicious MSI installer that downloads a Node.js runtime, decrypts payloads, and launches EtherRAT. EtherRAT is a cross-platform remote access trojan written in Node.js that allows full system control, data theft, command execution, and persistence. It uses Ethereum smart contracts to dynamically retrieve its command-and-control server, complicating disruption efforts. The campaign is ongoing with multiple malware versions found on distribution servers. Microsoft has responded by adding external caller warnings and new Teams policies to reduce such attacks.
Potential Impact
Successful exploitation results in attackers gaining initial access to corporate networks via compromised employee systems. EtherRAT provides attackers with full remote control, enabling command execution, file manipulation, data theft, and persistence. The use of legitimate remote management tools and Ethereum smart contracts for C2 complicates detection and mitigation. This can lead to significant data breaches and lateral movement within affected networks.
Mitigation Recommendations
Microsoft has implemented new protections in Teams, including warnings for external callers and chats, and policies to place suspected third-party bots in meeting lobbies for manual approval. Organizations should educate employees to recognize phishing attempts and verify IT support identities independently. Restricting or monitoring remote access tool installations and sessions can reduce risk. Since this is a social engineering attack leveraging legitimate tools, user awareness and strict remote access policies are critical. Patch status is not applicable as this is an attack technique rather than a software vulnerability.
Fake IT support calls on Microsoft Teams push EtherRAT malware
Description
Threat actors are conducting social engineering attacks via Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing EtherRAT malware. The attack starts with a phishing email containing a malicious PDF, followed by a Teams call from an external account posing as IT support. Victims are persuaded to grant remote control and install legitimate remote-access tools, which are then used to deploy a malicious MSI installer that loads EtherRAT. EtherRAT is a Node.js-based remote access trojan that enables attackers to control compromised systems, steal data, and maintain persistence using Ethereum smart contracts for command-and-control. Microsoft has introduced new protections in Teams to help mitigate such attacks. This campaign is actively evolving with multiple malware versions observed.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a multi-stage attack abusing Microsoft Teams voice calls and phishing emails to deliver EtherRAT malware. Attackers send phishing emails with malicious PDFs, then call victims via Teams from external accounts impersonating IT support. They convince victims to grant remote control and install legitimate remote management tools (HopToDesk, AnyDesk). Using these tools, attackers deploy a malicious MSI installer that downloads a Node.js runtime, decrypts payloads, and launches EtherRAT. EtherRAT is a cross-platform remote access trojan written in Node.js that allows full system control, data theft, command execution, and persistence. It uses Ethereum smart contracts to dynamically retrieve its command-and-control server, complicating disruption efforts. The campaign is ongoing with multiple malware versions found on distribution servers. Microsoft has responded by adding external caller warnings and new Teams policies to reduce such attacks.
Potential Impact
Successful exploitation results in attackers gaining initial access to corporate networks via compromised employee systems. EtherRAT provides attackers with full remote control, enabling command execution, file manipulation, data theft, and persistence. The use of legitimate remote management tools and Ethereum smart contracts for C2 complicates detection and mitigation. This can lead to significant data breaches and lateral movement within affected networks.
Mitigation Recommendations
Microsoft has implemented new protections in Teams, including warnings for external callers and chats, and policies to place suspected third-party bots in meeting lobbies for manual approval. Organizations should educate employees to recognize phishing attempts and verify IT support identities independently. Restricting or monitoring remote access tool installations and sessions can reduce risk. Since this is a social engineering attack leveraging legitimate tools, user awareness and strict remote access policies are critical. Patch status is not applicable as this is an attack technique rather than a software vulnerability.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/fake-it-support-calls-on-microsoft-teams-push-etherrat-malware/","fetched":true,"fetchedAt":"2026-07-06T20:36:32.385Z","wordCount":808}
Threat ID: 6a4c11d027e9c797192ecdca
Added to database: 07/06/2026, 20:36:32 UTC
Last enriched: 07/06/2026, 20:36:47 UTC
Last updated: 07/06/2026, 21:38:53 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.