CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Multi-actor campaigns abuse Microsoft Teams for initial access and data theft

First reported
Last updated
1 unique sources, 3 articles

Summary

Hide ▲

A phishing campaign targeting financial and healthcare organizations uses Microsoft Teams to impersonate IT staff and trick victims into granting remote access via Quick Assist, deploying the A0Backdoor malware. The campaign, linked to the BlackBasta ransomware group, uses sophisticated TTPs including digitally signed MSI installers, DNS MX-based C2 communication, and DLL sideloading with legitimate Microsoft binaries. A separate intrusion attributed to UNC6692 leverages Microsoft Teams social engineering to deploy the 'Snow' malware suite—comprising a browser extension, tunneler, and backdoor—for credential theft and domain takeover, with post-compromise activities including reconnaissance, lateral movement via pass-the-hash, and exfiltration of Active Directory assets. The A0Backdoor campaign involves multi-stage attack chains beginning with external Teams chats impersonating IT staff to initiate Quick Assist sessions, followed by reconnaissance, DLL sideloading with signed applications, lateral movement via WinRM, and targeted exfiltration using Rclone. The Snow intrusion contrasts this approach with a modular malware suite (SnowBelt, SnowBasin, SnowGlaze), WebSocket-based C2, SOCKS proxy capabilities, and exfiltration via LimeWire, indicating distinct actor goals and tooling.

Timeline

  1. 25.04.2026 18:07 1 articles · 23h ago

    UNC6692 deploys Snow malware suite via Teams phishing and email bombing

    UNC6692 uses email bombing to create urgency, then contacts targets via Microsoft Teams impersonating IT helpdesk agents, prompting installation of a dropper that loads the SnowBelt Chrome extension on a headless Microsoft Edge instance for stealth persistence. The dropper also installs the SnowGlaze tunneler for WebSocket-based C2 and SOCKS proxy operations, and the SnowBasin Python backdoor that supports remote shell access, data exfiltration, file management, and self-termination. Post-compromise, the group performs internal reconnaissance (SMB/RDP scanning), lateral movement using pass-the-hash, credential harvesting via LSASS memory dumping, and ultimately deploys FTK Imager to extract Active Directory database, SYSTEM, SAM, and SECURITY registry hives, exfiltrating these artifacts via LimeWire to obtain domain-wide credential access.

    Show sources
    Open in new tab
  2. 10.03.2026 00:50 2 articles · 1mo ago

    A0Backdoor Malware Deployed via Microsoft Teams Phishing Campaign

    Microsoft issues a warning about threat actors increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk staff via cross-tenant chats, tricking victims into granting remote access for data theft. Attackers leverage legitimate tools like Quick Assist and Rclone to transfer files to external cloud storage, blending malicious activity with normal IT support operations. The article details a nine-stage attack chain starting with external Teams chats impersonating IT staff, using Quick Assist for initial access, followed by reconnaissance via Command Prompt and PowerShell, DLL sideloading with signed applications (e.g., Autodesk, Adobe Acrobat/Reader, Windows Error Reporting) for payload execution, lateral movement via Windows Remote Management (WinRM), and targeted exfiltration using Rclone or similar tools to external cloud storage. HTTPS-based C2 communication is used to evade detection, and persistence is maintained via Windows Registry modifications. This expands on the initial campaign's TTPs, confirming the abuse of Quick Assist and DLL sideloading as part of a refined and stealthy intrusion methodology.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Payouts King ransomware leverages QEMU-based hidden VMs for covert operations and persistence

The Payouts King ransomware operation has integrated the QEMU emulator to deploy hidden Alpine Linux virtual machines (VMs) on compromised hosts, enabling attackers to bypass endpoint security controls and execute malicious activities without detection. Using reverse SSH tunnels and scheduled tasks, threat actors associated with the GOLD ENCOUNTER group operate these VMs to harvest credentials, perform Active Directory reconnaissance, and stage data for exfiltration. Initial access vectors include exploitation of SonicWall VPNs, CitrixBleed 2 (CVE-2025-5777), Cisco SSL VPNs, and social engineering via Microsoft Teams phishing. The campaign employs multi-stage encryption, toolchain customization, and anti-analysis techniques to maintain persistence and evade detection.

Open in new tab

Storm-0249 Adopts Advanced Tactics for Ransomware Attacks

Storm-0249, previously known as an initial access broker, has escalated its operations by employing advanced tactics such as domain spoofing, DLL sideloading, and fileless PowerShell execution to facilitate ransomware attacks. These methods allow the threat actor to bypass defenses, infiltrate networks, maintain persistence, and operate undetected. The group has shifted from mass phishing campaigns to more precise attacks, leveraging the trust associated with signed processes for added stealth. The ultimate goal is to obtain persistent access to enterprise networks and monetize them by selling access to ransomware gangs.

Open in new tab

Matrix Push C2 Malware Delivery via Browser Push Notifications

Cybercriminals are exploiting browser push notifications to deliver malware through a newly discovered command-and-control (C2) platform called Matrix Push C2. This platform tricks users into allowing notifications, which are then used to redirect them to malicious sites, monitor infected clients in real time, and scan for cryptocurrency wallets. The attack is fileless, operating through the browser's notification system without requiring traditional malware files on the system. The campaign is orchestrated via a web-based dashboard that provides real-time intelligence on victims, including detailed information on each infected client. The platform includes analytics and link management tools to measure campaign effectiveness and adjust tactics. Social engineering templates for brands like MetaMask, Netflix, and PayPal are used to maximize the credibility of fake messages. Matrix Push C2 is offered as a malware-as-a-service (MaaS) kit, sold under a tiered subscription model with payments accepted in cryptocurrency. The platform was first observed in October 2025 and has been active since then.

Open in new tab

Oyster Malware Distributed via Fake Microsoft Teams Installers

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware, known as OysterLoader, provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools. In early 2026, OysterLoader evolved with new C2 infrastructure and obfuscation methods, including a multi-stage infection chain and dynamic API resolution to hinder detection and analysis.

Open in new tab

MostereRAT Malware Campaign Targets Japanese Windows Users

A new malware campaign using MostereRAT, a banking malware-turned-RAT, targets Japanese Windows users. The malware employs sophisticated evasion techniques, including the use of an obscure programming language and disabling of security tools, to maintain long-term access and control over compromised systems. The campaign begins with phishing emails that lure victims into downloading a malicious Word document. Once installed, MostereRAT deploys multiple modules to achieve persistence, privilege escalation, and remote access. The malware is designed to evade detection and disable various antivirus and endpoint detection and response (EDR) products, making it difficult for defenders to detect and mitigate the threat. The primary goal of MostereRAT is to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool. It can also perform Early Bird Injection to inject an EXE into svchost.exe.

Open in new tab