Hackers Spoof Teams App to Spread Oyster Malware

A recent cyber campaign used a spoofed Microsoft Teams installer to deploy the Oyster backdoor, leveraging poisoned search results and short-lived code-signing certificates. Hackers spoof Teams app pages to trick users into downloading what appears to be legitimate software but is in fact malware. The installer, signed by “KUTTANADAN CREATIONS INC.,” evaded detection due to its valid certificate, which lasted only two days.

Investigators at Conscia traced the attack to a Bing search on September 25, 2025. Within 11 seconds, a targeted user was redirected to a fake Teams site hosted on Cloudflare. The downloaded MSTeamsSetup.exe file looked authentic but delivered Oyster malware.

Microsoft Defender’s Attack Surface Reduction rules blocked the malware’s attempt to contact its control server, preventing deeper infiltration. Hackers spoof Teams app installers to exploit trust in legitimate tools and certificates. The attack underscores the need for behavior-based defenses and scrutiny of digital signatures.

Read the full report:

Hackers use Weaponized Microsoft Teams Installer to Compromise Systems With Oyster Malware