This threat involves a malicious campaign distributing the Oyster (also known as Broomstick) backdoor through trojanized Microsoft Teams installers. Attackers leverage SEO poisoning and malvertising techniques to manipulate search engine results and online advertisements, directing users to spoofed websites hosting fake Microsoft Teams installers. When users download and run these fake installers, the Oyster backdoor is deployed on their systems. This backdoor establishes persistence, enabling remote access to the compromised machine, collects system information, and facilitates the delivery of additional malicious payloads. The malware uses DLL sideloading via the legitimate Windows utility rundll32.exe to execute stealthily and evade detection by security tools. This tactic is reminiscent of previous campaigns abusing trusted software installers, such as fake PuTTY installers, highlighting a trend of exploiting well-known software for initial access. The backdoor communicates with attacker-controlled command and control (C2) domains to receive commands and exfiltrate data. Indicators of compromise include multiple file hashes, IP addresses, and malicious domains associated with the campaign. The threat actors rely on social engineering via SEO and malicious ads rather than exploiting software vulnerabilities directly. Organizations are warned to avoid downloading software from unverified sources and to be cautious about search engine advertisements, which may be manipulated to distribute malware.

For European organizations, the impact of this threat can be significant. Microsoft Teams is widely used across Europe for communication and collaboration, making it a high-value target for attackers. Successful compromise could lead to unauthorized remote access, data exfiltration, espionage, and lateral movement within corporate networks. The persistence mechanisms and stealthy execution increase the difficulty of detection and removal, potentially allowing attackers to maintain long-term access. This can result in intellectual property theft, disruption of business operations, and reputational damage. Additionally, the campaign’s use of SEO poisoning and malvertising means that even cautious users might be tricked if they rely on search engines or ads to find software downloads. The threat could affect organizations of all sizes, especially those with less mature cybersecurity hygiene or those that do not enforce strict software sourcing policies. Given the backdoor’s capabilities, it could also serve as a foothold for deploying ransomware or other destructive payloads, amplifying the potential damage.

1. Enforce strict software procurement policies mandating downloads only from official Microsoft sources or verified vendors. 2. Educate employees about the risks of downloading software from search engine ads or untrusted websites, emphasizing verification of URLs and digital signatures. 3. Implement application whitelisting to prevent execution of unauthorized installers and DLLs. 4. Monitor for suspicious rundll32.exe activity and DLL sideloading behaviors using endpoint detection and response (EDR) solutions. 5. Use network monitoring to detect communications with known malicious C2 domains and IP addresses listed in threat intelligence feeds. 6. Regularly update and patch systems to reduce attack surface, even though this threat does not exploit software vulnerabilities directly. 7. Deploy DNS filtering and ad-blocking solutions to reduce exposure to malvertising and malicious domains. 8. Conduct phishing and social engineering awareness training focused on SEO poisoning and malvertising tactics. 9. Maintain robust incident response plans to quickly isolate and remediate infected systems. 10. Leverage threat intelligence sharing platforms to stay updated on emerging indicators and tactics related to this campaign.