Attack Chain via Teams Impersonation
Threat actors are leveraging Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing the EtherRAT remote access trojan. According to a report from Palo Alto Networks’ Unit 42, the campaign begins with a phishing email containing a malicious PDF attachment labeled as an “Employee Survey.” Shortly after the victim opens the document, they receive a Teams voice call from an external account posing as a system administrator. The caller uses the built-in screen sharing feature to convince the victim to grant remote control, then guides them through installing legitimate remote access tools such as HopToDesk or AnyDesk.
After gaining remote access, the attacker downloads a malicious MSI installer from a command and control server. This installer loads a legitimate Node.js runtime, decrypts embedded payloads, and ultimately deploys EtherRAT. The malware is a cross platform remote access trojan written in Node.js that provides full system control, including the ability to execute commands, manipulate files, steal data, and maintain persistence.
Evasion and Ongoing Development
EtherRAT uses Ethereum smart contracts to retrieve its active command and control server, a technique that makes takedown efforts more difficult. Unit 42 researchers discovered an open directory on a distribution server containing multiple versions of the malware installers ranging from v1 through v9, indicating that the campaign is actively being developed and refined. The malware was previously observed in state sponsored attacks exploiting the React2Shell vulnerability and has since been adopted by multiple threat actor groups.
This campaign follows a pattern of increasing abuse of Microsoft Teams for corporate network intrusions. Previous attacks have targeted financial and healthcare organizations, using similar techniques that involve flooding victims with spam messages before contacting them via Teams to deploy backdoors. In response, Microsoft has introduced new protections including warnings that identify external callers and a policy that automatically places suspected third party bots into meeting lobbies for manual approval.
Source: BleepingComputer

