We use cookies. By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
TechGeer Black Text Logo Light Header TechGeer Main Logo
  • News
    • AI News
    • Cybersecurity News
    • Streaming News
    • Tech News
  • Statistics
    • Entertainment
    • Gadgets and Hardware
    • Internet Security
    • Lifestyle
    • Marketing and Finance
    • Science
    • Web and Software
    • Workplace and Business
  • Streaming
  • Security
    • VPN
    • Spy
    • Antivirus
    • Torrenting
  • AI
  • About Us
    • Why Trust Us
    • Editorial Policy
    • Our Writers and Editors
    • Terms of Use
    • How We Make Money
    • Get in Touch
Reading: Hackers Impersonate IT Support on Microsoft Teams to Deploy EtherRAT Malware
TechGeerTechGeer
Search
  • News
    • AI News
    • Cybersecurity News
    • Streaming News
    • Tech News
  • Statistics
    • Entertainment
    • Gadgets and Hardware
    • Internet Security
    • Lifestyle
    • Marketing and Finance
    • Science
    • Web and Software
    • Workplace and Business
  • Streaming
  • Security
    • VPN
    • Spy
    • Antivirus
    • Torrenting
  • AI
  • About Us
    • Why Trust Us
    • Editorial Policy
    • Our Writers and Editors
    • Terms of Use
    • How We Make Money
    • Get in Touch
Have an existing account? Sign In
Follow US
  • Terms of Use
  • Privacy Policy
© 2024 TechGeer.com. All Rights Reserved.
Home » News » Cybersecurity » Hackers Impersonate IT Support on Microsoft Teams to Deploy EtherRAT Malware

Hackers Impersonate IT Support on Microsoft Teams to Deploy EtherRAT Malware

Olivia Carter
Last updated: July 8, 2026 4:36 am
By Olivia Carter
6 Min Read
Share
We conduct in-depth independent evaluations before making a recommendation. If you buy through links on our site, we may earn a fee that supports our mission.
  • Hackers are pretending to be IT support on Microsoft Teams and employing tactics like phishing emails, making phone calls, and abusing remote access technology to infect their targets with the EtherRAT malware.
  • EtherRAT hides its command–and-control servers by using Ethereum smart contracts.
  • Microsoft has launched security measures on Microsoft Teams, yet there’s still a need for stronger policies and staff training.
Hackers Impersonate IT Support on Microsoft Teams to Deploy EtherRAT Malware

Cybercriminals are getting creative, coming up with new ways to break into corporate networks. Their latest trick involves fake IT support calls through Microsoft Teams.

Researchers at Palo Alto Networks’ Unit 42 discovered a campaign where attackers pretend to be a company’s IT staff. Their goal? To trick employees into providing remote access and installing malware onto company devices.

In This Article
Legitimate Tools Hide the Real AttackEtherRAT Gives Attackers Long-Term ControlThe Increase in Attacks Targeting Collaboration PlatformsMicrosoft Strengthens Teams DefensesEmployee Awareness Remains the Best Defense

The attack starts low-key, with a legitimate-looking step. An employee gets a phishing email, something about an “Employee Survey,” with a malicious PDF attached. Sounds routine, but as soon as the employee opens it, they receive a Teams voice call from someone claiming to be a system administrator.

During this phone call, the fraudsters use an external Microsoft 365 account with the name of helpdesk@Progressive936.onmicrosoft[.]com. Teams actually flag it with an “External unfamiliar” warning.

But the attacker tries to cover it up by using social engineering tricks to make the victim ignore the warning. Once they get their foot in the door, the fake IT rep asks the employee to share their screen and hand over remote control by using Teams’ built-in screen-sharing tools.

Legitimate Tools Hide the Real Attack

Instead of immediately dropping malware, the attackers first installed trusted remote administration software. HopToDesk and AnyDesk are valid remote access solutions that companies’ IT departments use often. Since many people use and trust these apps, they do not trigger any alarms on the user’s or security software’s side.

Once they established remote access, the attackers downloaded a malicious MSI installer dubbed v7.msi from camorreado[.]click. The installer didn’t contain the malware directly. Instead, it worked as a loader that downloaded a legitimate Node.js runtime, decrypted hidden components, and finally launched EtherRAT.

EtherRAT Gives Attackers Long-Term Control

EtherRAT is a remote access trojan built with Node.js. It runs on almost every platform, making it a cross-platform RAT. Once it infects a device, attackers can claim control of the whole system. They’d be able to run commands, access files, steal confidential data, plant other malicious software, and retain access as long as they like.

What stands out about EtherRAT is how it locates its command-and-control server. According to reports, instead of using a fixed address that can be blocked, it retrieves the server location through Ethereum smart contracts. This technique, known as EtherHiding, makes the malware much harder to disrupt. Take down one server, and the attackers can simply update the smart contract to point to a new one.

Unit 42 researchers found an open directory with multiple versions of the installer ranging from v1 through v9. This suggests the malware is still under active development and regularly updated.

The Increase in Attacks Targeting Collaboration Platforms

This isn’t the first of such attacks. Unit 42 has been tracking this for a while. According to the researchers, there’s been an increase in attacks targeting collaboration platforms. Earlier this year, phishing alerts related to these tools in Cortex shot up to 42%. That’s a 12% increase from the number of previous attacks.

Campaigns that came before that followed a similar pattern. In March, attackers targeted healthcare and financial organizations by flooding inboxes with spam before contacting victims through Microsoft Teams. They trick victims into launching Microsoft Quick Assist sessions that eventually install the A0Backdoor malware.

Earlier in April, Microsoft released a statement regarding attackers exploiting external Teams accounts pretending to be the IT help desk workers to access networks and steal confidential data.

Microsoft Strengthens Teams Defenses

Microsoft has been introducing new protections to reduce abuse of Teams. The company recently expanded warnings that identify external callers and chats, making it easier for users to spot communications from outside their organization.

The security push extends to other Microsoft platforms; the company removed 119 malicious extensions from its Edge Add-ons Store.

Microsoft also rolled out new administrator controls that automatically put suspected third-party bots in the meeting lobby. Organizers must explicitly approve these bots before they can join meetings. The company has introduced Brand Impersonation Protection, which shows high-risk call warnings for suspicious external callers.

Employee Awareness Remains the Best Defense

Technical protections alone can’t stop attacks that rely on human trust. Organizations should teach employees that legitimate IT staff rarely make unexpected Teams calls asking users to install software or surrender remote control. Workers should pay close attention to Teams warnings indicating that callers are external.

In addition to all these measures, security professionals can also minimize risks by restricting external Teams communications when possible, auditing their logs, and restricting the installation of any remote management applications that employees might download.

With hackers transitioning from emails to collaboration services, trusted work-related communication is now another front in corporate security operations.

Share This Article
Facebook LinkedIn Reddit Copy Link
ByOlivia Carter
Olivia Carter is a technology journalist and privacy analyst who covers cybersecurity, consumer technology, artificial intelligence, and digital privacy. She has extensive experience reporting on breaking cyber incidents, software vulnerabilities, and regulatory developments. Her goal is to make technical topics accessible while delivering accurate, research-driven reporting for everyday readers and IT professionals.
Leave a Comment Leave a Comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related Articles

WinRAR 7 23 Update Fixes Critical Heap Overflow and Path Traversal Vulnerabilities
Cybersecurity

WinRAR 7.23 Update Fixes Critical Heap Overflow and Path Traversal Vulnerabilities

July 4, 2026
DVB Project Approves Major DVB-I Security Upgrade for Internet TV
Cybersecurity

DVB Project Approves Major DVB-I Security Upgrade for Internet TV

July 6, 2026
Microsoft Removes 119 Malicious Extensions From Edge Add-ons Store
Cybersecurity

Microsoft Removes 119 Malicious Extensions from Edge Add-ons Store

July 6, 2026
Security Researchers Warn of Phishing Kit Targeting Major Crypto Wallets
Cybersecurity

Security Researchers Warn of Phishing Kit Targeting Major Crypto Wallets

July 6, 2026
TechGeer Black Text Logo Light Header TechGeer Main Logo

Discover the latest in tech at TechGeer.com: AI, software, VPNs, privacy, monitoring, gaming, streaming, and alternatives. Your go-to source for cutting-edge news and guides in the digital world.

Navigation

  • News
  • Statistics
  • Security and Privacy Guides
  • Monitoring
  • VPN
  • Torrenting
  • Streaming & Geoblocking
  • Software and Apps
  • Artificial Intelligence

Company

  • About Us
  • Why Trust Us
  • Editorial Policy
  • Disclaimer
  • How We Evaluate
  • Career
  • Contact

Follow Us

TechGeer Ltd
Office 1214 727 51
High Streat, East
London E72JA
United Kingdom

© 2024 TechGeer.com. All Rights Reserved.
  • Terms of Use
  • Privacy Policy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?

Not a member? Sign Up