VYPR
researchPublished Jul 7, 2026· 2 sources

Hackers Weaponize Microsoft Teams Calls for EtherRAT Malware Deployment

Attackers are exploiting Microsoft Teams calls and social engineering to trick victims into installing EtherRAT, a sophisticated cross-platform trojan.

A novel attack campaign is leveraging the ubiquitous Microsoft Teams collaboration platform to deploy the potent EtherRAT malware, blending social engineering with the installation of legitimate remote access tools. The operation begins with a phishing email that lures victims into opening a malicious PDF, which then triggers an unexpected Microsoft Teams voice call. The caller, impersonating an IT administrator from an external tenant, uses social engineering tactics to persuade the victim to share their screen.

Analysts from Palo Alto Networks' Unit 42, who detailed the findings, noted that the attacker's account was tied to a domain designed to mimic a genuine helpdesk address, enhancing the credibility of the impersonation. While Teams flags calls from external tenants as "External unfamiliar," users often overlook this warning during the interaction. Once screen sharing is enabled, the attacker gains remote control of the victim's device, appearing to provide legitimate IT support.

During the screen-sharing session, the attacker guides the victim through installing seemingly legitimate remote access tools. This crucial step establishes a foothold that appears as routine technical support, masking the malicious intent. The attacker then downloads and executes a malicious MSI installer. This installer quietly fetches a genuine Node.js runtime onto the compromised machine and decrypts hidden payloads, ultimately launching the EtherRAT malware.

The use of legitimate software components by the loader makes it challenging for many endpoint security solutions to detect the malicious activity. EtherRAT itself is a cross-platform remote access trojan built using Node.js, offering flexibility across various operating systems. Once active, it possesses the capability to execute commands, manipulate files, exfiltrate sensitive data, and establish long-term persistence on the infected system.

A particularly concerning feature of EtherRAT is its use of Ethereum smart contracts to retrieve the command and control (C2) server address. This unique C2 mechanism significantly complicates efforts by defenders to track and dismantle the malware's infrastructure. Researchers have previously linked EtherRAT to state-sponsored operations, and its apparent adoption by a wider range of criminal groups suggests it is being shared or sold on illicit markets.

Unit 42 discovered an open directory on the attacker's distribution server containing nine different versions of the installer, indicating ongoing development and refinement of the malware. This campaign highlights a growing trend of attackers exploiting trust in everyday collaboration tools and legitimate software to bypass security measures.

Microsoft has acknowledged this threat and is implementing protective measures, including clearer warnings for external calls and chats, and an administrator policy to place suspected third-party bots into a meeting lobby. Security teams are advised to restrict external Teams communication where possible, train employees to verify IT requests through separate, trusted channels, and monitor for unexpected remote access software installations. The core defense remains treating unsolicited IT support calls with extreme caution and verifying requests through known internal channels before granting any remote access.

This new report from The Register details how attackers are leveraging Microsoft Teams' cross-tenant chat functionality to initiate direct calls with targets, a tactic not explicitly mentioned in previous accounts. The attackers impersonate IT support, using a Teams call to persuade victims to install legitimate remote administration tools before deploying the EtherRAT malware via an MSI package. Furthermore, the article highlights the discovery of an open directory containing multiple versions of EtherRAT, suggesting ongoing development and active use of the malware.

Synthesized by Vypr AI