This week, we briefed our clients on a fake Microsoft Teams malware campaign that lures users to spoofed download sites with malvertising & SEO poisoning.
KEY TAKEAWAYS
Fake MS Teams malware campaign delivering Oyster backdoor. Learn how to protect your organization against these threats.
Shields up – Increased scanning activity against Palo Alto Networks devices.
Fake software downloads continue to be one of the most pervasive threats facing organizations today. In recent months, we have covered fake updates by SocGholish and fake PDF software distributing infostealers. In late September, researchers at Blackpoint detailed a new campaign that is delivering fake Microsoft Teams applications that deliver malware known as the Oyster backdoor.
The malware campaign leverages malvertising and SEO poisoning to boost its rankings in search engines. When a user searches for something as innocuous as "Microsoft Teams download", oftentimes they will be served malicious links in the search results that direct the user to the fake download sites.
Fig. 1 – Malicious search result Source: Blackpoint
When the user visits the malicious link, they are taken to a spoofed site that looks like a legitimate Microsoft download page and are prompted to download the fake "MSTeamsSetup.exe" file. Once this file is downloaded, it places a malicious DLL file "CaptureService.dll" in a randomly named folder in the %APPDATA%\Roaming path, and then creates a scheduled task named "CaptureService" which regularly calls the DLL file, which in turn provides persistence on the compromised host.
A Widespread Campaign
Using Validin to pivot off certain website metadata attributes, we can see a fairly comprehensive timeline of this campaign. The same website attributes were first used in January 2025 on the site microsoft-msteams[.]com. This site was attributed in April to a ClickFix campaign that ultimately led to Interlock ransomware distribution. Then, in early May, several other sites using the same attributes were created, also leveraging Microsoft Teams-related domains. As the graph below shows, the campaign has steadily added more fake sites throughout the summer and into October.
Fig. 2 - Fake Teams Download site distribution timeline Source: Validin
How to Protect Your Organization
There are several steps organizations can take to detect and prevent these types of attacks:
See the Appendix below for PacketWatch and CrowdStrike hunts to detect this threat.
Resources:
Over the weekend, researchers at GreyNoise reported a 500% increase in scanning activity against Palo Alto Networks login portals. On October 5th, they clarified that they have so far found no evidence of compromise from the scanning activity. However, while this is not always an indicator of a future attack, there has been strong historical correlation of increased scanning activity preceding a 0-day or N-day attack. Just last month, GreyNoise reported an increase in scanning activity of Cisco ASA devices, and two weeks later there were reports of two 0-days in those devices being actively exploited.
Administrators should ensure all Palo Alto edge devices are fully patched and restrict the management interface to only explicitly allowed IP addresses. This helps reduce the attack surface in the case of a 0-day. In the coming days, monitor Palo Alto edge devices for any sign of suspicious activity such as new account creation or suspicious logons.
Resources:
https://www.bleepingcomputer.com/news/security/massive-surge-in-scans-targeting-palo-alto-networks-login-portals/
https://www.bleepingcomputer.com/news/security/surge-in-networks-scans-targeting-cisco-asa-devices-raise-concerns/
https://www.bleepingcomputer.com/news/security/cisco-warns-of-asa-firewall-zero-days-exploited-in-attacks/
Vulnerability Roundup
Oracle has released a patch for what is believed to be a 0-day vulnerability in their E-Business Suite. The vulnerability, tracked as CVE-2025-61882, can be exploited over a network without the need for a username or password and can lead to remote code execution. Affected Oracle E-Business Suite versions are 12.2.3-12.2.14. This vulnerability has also been tied to the recent data theft and extortion campaign from Cl0p. Victims of this campaign are sent emails from Cl0p claiming to have breached the victim's Oracle E-Business Suite environment. Oracle published IOCs in their CVE disclosure. See Appendix B for the PacketWatch query.
Cisco released fixes for two vulnerabilities in their Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) devices that are under active exploitation. The first vulnerability, tracked as CVE-2025-20333, allows for authenticated, remote attackers to execute arbitrary code. The second vulnerability, tracked as CVE-2025-20362, enables remote attackers to access restricted URL endpoints without authentication. Administrators are strongly encouraged to apply the patches as soon as possible. Administrators can check here and here for patch links and guidance on determining if a device is vulnerable.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
https://www.bleepingcomputer.com/news/security/cisco-warns-of-asa-firewall-zero-days-exploited-in-attacks/
CISA recently added a vulnerability in sudo to their Known Exploited Vulnerabilities catalog. The sudo command ("superuser do") is used in Unix-like operating systems that allows users to run programs or commands with security privileges of another user, typically root. Typically, users or groups with sudo permissions are placed in the "sudoers" file. This vulnerability, tracked as CVE-2025-32463, allows an attacker to use sudo's -R (--chroot) command to run arbitrary commands as root, even if they are not in the "sudoers" file. This vulnerability affects sudo versions 1.9.14 through 1.9.17. Administrators are urged to patch as soon as possible.
Researchers at Trend Micro Zero Day Initiative reported a critical vulnerability in SolarWinds Web Help Desk. Tracked as CVE-2025-26399, this critical vulnerability allows an unauthenticated attacker to run commands on the host machine. The vulnerability affects the latest version, 12.8.7. It should also be noted that this CVE is a bypass of a previous patch for CVE-2024-28988, which was a fix for a patch bypass of CVE-2024-28986. A hotfix that addresses this vulnerability has been issued by SolarWinds. Please visit the SolarWinds Documentation page here for guidance on applying the hotfix.
The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.