369/68 Monday, September 29, 2025
Cybersecurity experts have discovered an attack in which hackers used SEO poisoning and search engine ads to promote fraudulent websites offering downloads of Microsoft Teams. Once installed, the victim’s computer becomes infected with the Oyster malware, providing attackers with an initial foothold into the organization’s network.
The Oyster malware-also known as Broomstick and CleanUpLoader-first appeared in mid-2023 and has been deployed in several attack campaigns. Research indicates that Oyster enables attackers to remotely control infected devices, execute additional commands, install new payloads, and steal or transfer files. In the past, it has often been distributed via fake ads for popular tools such as PuTTY and WinSCP, and has been linked to Rhysida ransomware operations.
Most recently, researchers from Blackpoint SOC reported that attackers created the fake domain teams-install[.]top, designed to mimic Microsoft’s official Teams website. When users download from the site, they receive a file named MSTeamsSetup[.]exe, which appears legitimate but actually installs CaptureService[.]dll on the system. The malware also creates a scheduled task that runs every 11 minutes to maintain persistence.
Experts warn that this campaign mirrors previous cases involving fake installers for Chrome and Teams, demonstrating that SEO poisoning and malicious ads remain favored hacker tactics. Both system administrators and everyday users are advised to download software only from official websites and avoid clicking on sponsored links in search engine results to reduce the risk of compromise.
