524/68 Monday, December 15, 2025
Cybersecurity researchers have uncovered an attack campaign targeting organizations in the financial sector, leveraging the Oyster (also known as Broomstick) malware disguised within fake installers for popular applications such as Microsoft Teams, Google Meet, PuTTY, and WinSCP. The attackers rely on SEO poisoning and malicious advertising (malvertising) to lure users into clicking links that lead to fraudulent websites hosting malware-laced downloads.
The attack typically begins when users search for terms like “download Microsoft Teams” or other IT-related software. Malicious sponsored ads or manipulated search results appear at the top of the page, directing victims to fake download sites. Once the victim downloads and executes the counterfeit installer, the malware drops a file named AlphaSecurity.dll onto the system and creates a Scheduled Task that runs every 18 minutes. This mechanism functions as a stealthy backdoor, ensuring persistent access even after system reboots.
The Oyster Backdoor is considered a serious threat, as it enables attackers to maintain long-term, covert access to compromised systems. Researchers have reported links between this malware and the Rhysida ransomware group, which is believed to use this access vector to infiltrate corporate networks. Analysts expect this threat to persist into 2026, and strongly advise users and organizations to download software only from official vendor websites and to avoid clicking sponsored links in search results to reduce the risk of compromise.
Source https://hackread.com/fake-microsoft-teams-google-meet-download-oyster-backdoor/
