Threat Actors Leverage SEO Poisoning and Malicious Ads to Distribute Backdoored Microsoft Teams Installers

SUMMARY :

A new campaign is distributing the Oyster (Broomstick) backdoor through trojanized Microsoft Teams installers. Threat actors are using SEO poisoning and malvertising to trick users into downloading fake installers from spoofed websites. The malicious installers deploy a persistent backdoor that enables remote access, gathers system information, and supports additional payload delivery while evading detection. This tactic mirrors earlier fake PuTTY campaigns, showing a trend of abusing trusted software for initial access. The backdoor communicates with attacker-controlled C2 domains and uses DLL sideloading via rundll32.exe for stealthy execution. Organizations are advised to download software only from verified sources and avoid relying on search engine advertisements.

OPENCTI LABELS :

malvertising,seo poisoning,persistence,dll sideloading,microsoft teams,c2 communication,oyster,broomstick,oyster backdoor,trojanized installer


AI COMMENTARY :

1. In recent weeks, security researchers have uncovered a sophisticated campaign in which threat actors leverage SEO poisoning and malvertising to distribute trojanized Microsoft Teams installers. By manipulating search engine results and placing malicious ads on reputable websites, attackers have successfully lured unsuspecting users to spoofed download pages that mimic the official Microsoft Teams site. This ongoing operation has been christened the Oyster or Broomstick backdoor campaign, a testament to the stealth and persistence these adversaries employ to evade detection.

2. The campaign operates by first crafting SEO-optimized content and purchasing search engine advertisements that rank high for queries related to Microsoft Teams. Users searching for the collaboration platform encounter these poisoned search results or ads that appear legitimate, only to download installers embedded with the Oyster backdoor. Once executed, the trojanized installer gains a foothold on the target system, establishing a persistent presence that can survive reboots and resist common security measures.

3. The Oyster backdoor exhibits advanced capabilities designed to maintain long-term access and facilitate further attacks. After installation, it collects detailed system information—such as hardware configuration, installed software, and network parameters—and exfiltrates these data to attacker-controlled C2 communication channels. Leveraging this reconnaissance, operators can tailor additional payloads or escalate privileges on compromised endpoints, turning a single compromised Teams installer into a gateway for deeper network infiltration.

4. To maximize stealth, the malicious installer employs DLL sideloading via rundll32.exe, a technique that abuses a legitimate Windows binary to execute the backdoor’s payload. By placing a malicious DLL in a folder alongside rundll32.exe or another trusted executable, the backdoor avoids writing suspicious processes or registry entries, reducing the likelihood of detection by endpoint defenses. This cunning use of dll sideloading underscores the attackers’ emphasis on blending in with normal system activity.

5. Security analysts note that this Oyster campaign mirrors earlier fake PuTTY distribution schemes, where adversaries trojanized a widely used SSH client to deploy remote access tools. Both operations highlight a troubling trend: abusing trusted software to bypass initial access hurdles. By piggybacking on the brand recognition and perceived safety of popular applications, threat actors can exploit user trust and security inertia to gain entry into corporate networks.

6. Organizations can defend against such threats by restricting software downloads to verified vendor portals and employing threat intelligence feeds to flag malvertising domains. User education on the risks of relying on search engine advertisements for critical software downloads is equally vital. Rapid patching of endpoint security solutions and monitoring for anomalous rundll32.exe executions can further disrupt C2 communication and thwart the persistence mechanisms of the Oyster backdoor. Staying vigilant against SEO poisoning and trojanized installers remains a critical component of a robust cybersecurity posture.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Threat Actors Leverage SEO Poisoning and Malicious Ads to Distribute Backdoored Microsoft Teams Installers