Threat Actors Abuse Microsoft Teams for EtherRAT Delivery in IT Support Impersonation Scheme
A new campaign is leveraging **Microsoft Teams** voice calls and sophisticated social engineering to trick employees into installing **EtherRAT** malware. Threat actors are impersonating corporate IT support, gaining initial access to networks through a multi-stage attack involving phishing, remote management tools, and a custom Node.js-based loader. This highlights the evolving tactics of attackers exploiting trusted communication platforms.
Threat actors are increasingly exploiting trusted enterprise communication platforms, with a new campaign specifically targeting **Microsoft Teams** users. These attackers are impersonating corporate IT support staff to deploy the **EtherRAT** malware, ultimately gaining initial access to corporate networks.
Reported by **Palo Alto Networks**' **Unit 42**, this campaign combines phishing emails, **Microsoft Teams** voice calls, legitimate remote management tools, and a Node.js-based malware loader to compromise victim systems.
### The Attack Chain Unveiled
The attack typically begins with a phishing email, often using an "Employee Survey" lure and containing a malicious PDF attachment. Shortly after the victim opens this document, they receive a **Microsoft Teams** voice call.

The caller impersonates a "System Administrator" from an external account. Researchers noted the **Teams** session displayed an "External unfamiliar" label, indicating the caller originated from a different **Microsoft 365** tenant. Audit logs revealed the attacker initiated the external chat using an account like `[email protected][.]com`.
After establishing contact, the attacker convinces the victim to grant remote control through **Microsoft Teams**' built-in screen-sharing feature. They then guide the victim through installing legitimate remote-access tools such as **HopToDesk** and **AnyDesk**.
### EtherRAT Deployment and Capabilities
Once remote access is established, the attackers download and execute a malicious MSI installer (e.g., `v7.msi`) from a controlled domain like `camorreado[.]click`. This MSI acts as a malware loader, downloading a legitimate Node.js runtime, decrypting embedded payloads, and finally launching **EtherRAT**.
**EtherRAT** is a sophisticated, cross-platform Remote Access Trojan (RAT) written in Node.js. It grants attackers extensive control over compromised systems, enabling them to execute commands, manipulate files, steal data, and maintain persistence. A notable feature of **EtherRAT** is its use of Ethereum smart contracts to retrieve its active command-and-control (C2) server, complicating disruption efforts.
**Unit 42** discovered an open directory on a distribution server containing multiple versions of the malware installers (v1 through v9), suggesting the campaign is under active development and refinement.
### Growing Trend of Teams Abuse
This latest campaign is part of a growing trend of attacks abusing **Microsoft Teams** to breach corporate networks. In March, a similar campaign targeted financial and healthcare organizations, using **Teams** to pose as IT staff and trick victims into launching **Quick Assist** sessions, leading to the deployment of **A0Backdoor** malware.
A month later, **Microsoft** itself warned about the increasing abuse of external **Microsoft Teams** for helpdesk impersonation, where attackers gained remote access, performed reconnaissance, moved laterally, and exfiltrated data.
### Microsoft's Defensive Measures
In response to these escalating threats, **Microsoft** has been implementing new protections for **Teams**. Earlier this year, the company introduced warnings to identify external callers and chats, aiming to mitigate potential phishing and vishing attacks. More recently, **Microsoft** rolled out a new **Teams** administrator policy that automatically places suspected third-party bots into the meeting lobby until manually approved by organizers.