Oyster Malware Distributed Through Fake Microsoft Teams Installers

Oyster Malware Distributed Through Fake Microsoft Teams Installers

Security researchers at Blackpoint SOC have uncovered a new malvertising and SEO poisoning campaign targeting users searching for Microsoft Teams.

🔍 What’s Happening

• Threat actors run malicious ads leading to a fake site (teams-install[.]top) posing as Microsoft’s Teams download portal.
• Downloaded file: MSTeamsSetup.exe (same name as the official installer).
• Signed with certificates from 4th State Oy and NRM Network Risk Management Inc to appear legitimate.
• Drops CaptureService.dll into %APPDATA%\Roaming.
• Creates a scheduled task (“CaptureService”) to reload every 11 minutes, ensuring persistence.

🦠 The Oyster Malware

Known as Broomstick / CleanUpLoader, Oyster provides attackers with:

• Remote command execution
• Payload delivery
• File transfer capabilities
• Initial access for ransomware operators like Rhysida

📌 Why It Matters

This campaign continues a dangerous trend: abusing search ads and SEO poisoning to spread commodity malware under the guise of trusted tools. Fake installers for Chrome, PuTTY, and WinSCP have already been observed in similar campaigns.

🔐 Security Recommendations

• Admins: Always download Teams and other IT tools from verified domains (e.g., microsoft.com).
• Avoid clicking search engine ads, which are increasingly exploited by threat actors.
• Monitor for suspicious scheduled tasks or unknown DLLs in %APPDATA%.
• Educate staff on risks of malvertising.

👉 This is another reminder that attackers exploit trust in search results as much as technical flaws. A few extra seconds verifying a download source can prevent a devastating breach.

To protect organizations from malvertising, Alcaeus Services focuses on securing the sources of downloads, monitoring for malware that persists, and enhancing endpoint security to prevent backdoor infections, such as Oyster.