Threat Actors Leverage SEO Poisoning and Malicious Ads to Distribute Backdoored Microsoft Teams Installers

SUMMARY :

A new campaign is distributing the Oyster (Broomstick) backdoor through trojanized Microsoft Teams installers. Threat actors are using SEO poisoning and malvertising to trick users into downloading fake installers from spoofed websites. The malicious installers deploy a persistent backdoor that enables remote access, gathers system information, and supports additional payload delivery while evading detection. This tactic mirrors earlier fake PuTTY campaigns, showing a trend of abusing trusted software for initial access. The backdoor communicates with attacker-controlled C2 domains and uses DLL sideloading via rundll32.exe for stealthy execution. Organizations are advised to download software only from verified sources and avoid relying on search engine advertisements.

OPENCTI LABELS :

dll sideloading,persistence,seo poisoning,broomstick,trojanized installer,oyster backdoor,oyster,microsoft teams,c2 communication,malvertising


AI COMMENTARY :

1. In recent weeks security researchers have observed a sophisticated campaign in which threat actors are leveraging SEO poisoning and malvertising to distribute maliciously trojanized Microsoft Teams installers. The operators behind this operation have dubbed their implant Oyster or Broomstick and are using spoofed websites that appear in search engine results or in paid ads. Unsuspecting users who click on these links download what they believe to be legitimate Teams setup files, but in reality the files contain a backdoor payload designed for long-term access.

2. The initial infection vector relies on carefully crafted search engine poisoning techniques that elevate malicious landing pages in organic search results. Complementing this tactic, attackers purchase space in search engine advertisements to further boost the visibility of fake installer sites. By abusing the trust that organizations place in Microsoft Teams as a communication platform, the threat actors increase the likelihood that employees will install the trojanized setup without suspecting foul play.

3. Once the malicious installer is executed, it employs DLL sideloading via rundll32.exe to load the Oyster backdoor into memory covertly. This technique allows the backdoor to masquerade as legitimate DLL code while avoiding common antivirus and endpoint detection rules. Following successful execution, the malware gathers system information including host identifiers and network configuration, then establishes encrypted C2 communication channels with attacker-controlled domains to await further instructions.

4. To maintain persistence and evade detection, the Broomstick payload modifies registry keys and schedules tasks that relaunch rundll32.exe with the backdoor DLL on each system startup. This ensures the implant remains active even after reboots or manual closures. The campaign also exhibits a modular design that supports dynamic loading of additional payloads, allowing the threat actors to deploy secondary tools for data exfiltration or lateral movement once inside the network.

5. The exploitation of trusted software installers echoes earlier campaigns that trojanized PuTTY distribution files, demonstrating a growing trend of abusing common utilities and collaboration platforms. Indicators of compromise include network traffic to obscure C2 domains, unexpected rundll32.exe processes executing non-Microsoft DLLs, and altered startup registry entries pointing to suspect file paths. Security teams should monitor these hallmarks closely and cross-reference them with threat intelligence feeds to detect signs of intrusion.

6. Organizations can mitigate the risk of this attack by enforcing strict software supply chain controls and by instructing users to obtain Microsoft Teams installers only from official vendor portals. Disabling or filtering search engine advertisements for high-risk categories and implementing robust network security monitoring are additional measures that can reduce exposure. By combining user awareness training with technical safeguards, defenders can disrupt the SEO poisoning and malvertising tactics that enable the distribution of the Oyster backdoor.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Threat Actors Leverage SEO Poisoning and Malicious Ads to Distribute Backdoored Microsoft Teams Installers