Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Teams Abused to Deploy EtherRAT Malware via Fake IT Support Calls

Laptop screen displays Microsoft Teams call on a home office desk with a phone and headset nearby.
Unit 42 found an open directory on a distribution server containing multiple versions (v1 through v9) of EtherRAT installers, a sign the campaign is actively being developed.

How the operation begins: "Employee Survey" and a Teams call

The intrusion chain documented by Palo Alto Networks' Unit 42 starts with a targeted phishing email that carries an "Employee Survey" lure and a malicious PDF attachment. Shortly after a victim opens the document, the attackers place a Microsoft Teams voice call from an external account impersonating a "System Administrator." Audit logs reviewed by Unit 42 show the external chat was initiated from helpdesk@Progressive936.onmicrosoft[.]com. The Teams session displayed the "External unfamiliar" label, a clear indicator the caller belonged to a different Microsoft 365 tenant than the recipient.

Remote-control ruse: Teams screen sharing, HopToDesk and AnyDesk

Once contact is made, the attackers rely on social engineering through Microsoft Teams' built-in screen-sharing and remote-control features. Unit 42 observed the threat actors convincing victims to grant remote control and then guiding them to install legitimate remote-access tools—specifically HopToDesk and AnyDesk—to extend access beyond the Teams session. Those legitimate tools are used as stepping stones to deploy a malicious installer under the guise of normal IT support activity.

v7.msi, Node.js runtime, and EtherRAT deployment

After remote access is established, the adversary downloads and executes a malicious MSI installer named v7.msi from camorreado[.]click. According to Unit 42, the MSI functions as a loader: it downloads a legitimate Node.js runtime, decrypts embedded payloads, and ultimately launches EtherRAT. EtherRAT is a cross-platform remote-access trojan written in Node.js that grants operators full control over compromised systems. The malware can execute commands, manipulate files, steal data and maintain persistence.

Why EtherRAT is hard to disrupt: Ethereum smart contracts and active development

Unit 42 highlights two factors that complicate disruption. First, EtherRAT has an unconventional command-and-control mechanism that uses Ethereum smart contracts to retrieve its active C2 server, raising the bar for takedowns or sinkholing. Second, the discovery of multiple installer versions (v1 through v9) in an open distribution directory indicates ongoing development and iteration of the campaign's tooling and deployment techniques.

Context inside Microsoft Teams abuse: recent incidents and vendor responses

The Unit 42 findings fit a broader pattern of threat actors abusing Microsoft Teams to obtain initial access. In March, a separate campaign targeted financial and healthcare organizations by flooding victims' inboxes with spam and then contacting them via Teams while posing as IT staff, tricking victims into launching Quick Assist sessions that led to deployment of A0Backdoor. A month later, Microsoft warned attackers were increasingly abusing external Microsoft Teams to impersonate helpdesk personnel, gain remote access, perform reconnaissance, move laterally and steal data.

Microsoft has introduced staged defenses in response. Earlier this year the company added warnings that identify external callers and chats to help users spot potential phishing and vishing attempts. Last week Microsoft added a new Teams administrator policy that automatically places suspected third‑party bots into the meeting lobby until organizers manually approve admission.

What this means for security teams, enterprise IT, and end users

  • Security teams: The use of legitimate remote-access tools plus a Node.js loader that fetches a runtime and decrypted payloads means detection needs to cover installer execution chains, unusual Node.js runtime behavior, and calls to external distribution URLs such as camorreado[.]click. The persistence and C2 retrieval via Ethereum smart contracts complicate response playbooks.
  • Enterprise IT: The campaign demonstrates the value of tenant-bound controls and user-facing signals; the "External unfamiliar" label and Microsoft's added warnings and lobby policy are practical mitigations. IT should verify administrative communication channels and reinforce procedures for helpdesk interactions that involve remote-control requests.
  • End users: Social engineering remains the tipping point. Users should treat unsolicited Teams calls that ask for screen control or installation of remote tools with suspicion, even when the caller claims to be "System Administrator," and confirm such requests through separate, established channels before proceeding.

Unit 42's report shows a deliberate, multi-stage social-engineering campaign that blends conventional phishing, voice-based impersonation inside a collaboration platform, legitimate remote-management software and a bespoke Node.js loader to deliver a persistent, cross-platform RAT. The open directory with multiple installer versions and the use of blockchain-based C2 retrieval point to an agile adversary refining both delivery and resilience. As Microsoft layers platform warnings and administrative policies, defenders and users face an operational question: can procedural verification and expanded detection keep pace with threat actors who combine voice deception and legitimate administration tools?

Original report: https://www.bleepingcomputer.com/news/security/fake-it-support-calls-on-microsoft-teams-push-etherrat-malware/