The attack was neutralized by Microsoft Defender’s Attack Surface Reduction (ASR) rules, which blocked the malware from establishing contact with its command-and-control server.
The multi-stage attack highlights an increasing trend of threat actors using legitimate services to appear trustworthy and evade traditional security measures.
By using short-lived, valid code-signing certificates, the attackers were able to bypass initial signature-based detection and trick systems into trusting the malicious software.
Conscia’s forensic investigation revealed a rapid and automated attack sequence that began with a simple web search.
On September 25, 2025, an employee’s search on Bing for Microsoft Teams led to a malicious redirect. Within just 11 seconds of the initial search, the user was funneled from bing.com through a redirect domain (team.frywow.com) to a malicious site, teams-install.icu.
This rapid redirection points to an automated process, likely driven by a malvertising campaign or a poisoned search engine result that placed the malicious link high in the search rankings.
The domain teams-install.icu was designed to spoof a legitimate Microsoft download page and was hosted on Cloudflare to further mask its malicious intent. Once the user landed on the page, a file named MSTeamsSetup.exe was downloaded.
Roughly an hour later, the file was executed. Although it appeared to be a legitimate installer, it was in fact the Oyster malware. The attack was only stopped when Microsoft Defender’s ASR rules detected and blocked the malware’s attempt to connect to its C2 server at nickbush24.com.
The core of this campaign’s sophistication lies in its abuse of code-signing certificates. The malicious executable was signed by a seemingly legitimate entity named “KUTTANADAN CREATIONS INC.” using a certificate that was valid for only two days, from September 24 to 26, 2025.
This emerging tactic allows threat actors to:
Conscia research uncovered other similar short-lived certificates used by signers like “Shanxi Yanghua HOME Furnishings Ltd,” suggesting a larger, well-orchestrated operation.
This incident was neutralized before any data could be exfiltrated or further payloads like ransomware could be deployed. The successful prevention demonstrates that traditional security measures are no longer sufficient. Trust in digital certificates cannot be absolute, and organizations must deploy advanced endpoint protection.
Had the ASR rules not been in place, the Oyster backdoor (also known as Broomstick or CleanUpLoader) would have established persistent access to the compromised system. This would have enabled the attackers to conduct data theft, deploy additional malware, and move laterally across the network.
Key lessons from this attack are clear: attackers are evolving their use of legitimate system tools (“living-off-the-land“), certificate trust is being actively weaponized, and the speed of automated attacks requires robust, behavior-based security controls like ASR to prevent a compromise that can occur in seconds.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers use Weaponized Microsoft Teams Installer to Compromise Systems With Oyster Malware appeared first on Cyber Security News.
When 14-year-old Laureen Rahn vanished from her Manchester home at Merrimack Street four and a…
Poor communication, “hands-off” leadership and a birthday dinner contributed to a state agency’s deficient public…
Concord’s Eastside Market has a new landlord. Sarah Parker and her husband bought 11 Eastman…
More than 2,100 new patients signed up with New Hampshire’s Therapeutic Cannabis Program last year,…
Lenovo's most powerful Legion gaming PC is back in stock, but not only that, it's…
Warning: This review contains full spoilers for Star Wars: Maul - Shadow Lord Episodes 9…
This website uses cookies.