Threat actors are impersonating corporate IT support staff in Microsoft Teams voice calls to trick employees into granting remote access and installing the EtherRAT remote access trojan. The campaign begins with a phishing email themed as an "Employee Survey", then shifts to a Teams call from an external Microsoft 365 tenant, where the caller poses as helpdesk or system administration staff and persuades the target to enable screen sharing and install legitimate remote management tools such as HopToDesk or AnyDesk. Attackers then execute a malicious MSI installer, including samples such as v7.msi, to deploy a multi-stage loader that fetches a legitimate Node.js runtime, decrypts embedded payloads, and launches EtherRAT.
Researchers said EtherRAT is a cross-platform Node.js RAT for Windows, Linux, and macOS that supports command execution, file manipulation, persistence, and data theft. The malware uses Ethereum smart contracts to locate active command-and-control infrastructure, with some reporting also noting a fallback conventional domain, making disruption more difficult. Investigators found multiple installer versions in an open directory, including versions 1 through 9, indicating active development, and identified Teams forensic artifacts such as files beginning with CtrlVirtualCursorWin_* that may show an attacker remotely controlled a victim's desktop during a session. The activity adds to a broader rise in Teams-based impersonation attacks, even as Microsoft rolls out protections such as external caller warnings and stricter handling of suspected third-party bots.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft added Teams security measures including warnings for external callers and a policy to hold suspected third-party bots in the meeting lobby. The protections were noted in the context of the broader rise in Teams-based intrusion campaigns.
Reporting on the campaign revealed that EtherRAT is a cross-platform Node.js RAT with command execution, file manipulation, persistence, and data theft capabilities, and that it uses Ethereum smart contracts to locate active command-and-control infrastructure. Researchers also identified Teams forensic artifacts such as files beginning with 'CtrlVirtualCursorWin_*' that may indicate attacker control during remote sessions.
Threat actors conducted a social-engineering campaign that began with an 'Employee Survey' phishing lure and escalated to Microsoft Teams calls from external Microsoft 365 tenants impersonating IT support. After gaining trust, the attackers had victims install HopToDesk or AnyDesk and then executed a malicious MSI loader that deployed the Node.js-based EtherRAT malware.
Researchers found an open directory hosting multiple EtherRAT installer versions, indicating the malware and delivery chain were under active development. One reference states the updates in that directory were as recent as June 26.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecybersecuritynews.com
Open sourcetheregister.com
Open sourcecsoonline.com
Open sourcebleepingcomputer.com
Open sourcegithub.com
Open sourcehunters.security
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.