Malvertising Campaign Delivers “Oyster” Backdoor via Weaponized Microsoft Teams Installers
October 9th, 2025
High
Our Cyber Threat Intelligence Unit is monitoring an active malvertising campaign distributing the Oyster backdoor (also known as Broomstick / CleanUpLoader) through weaponized Microsoft Teams installers. The operation leverages SEO-poisoned ads and short-lived redirect domains that impersonate legitimate Teams download pages. Unsuspecting users who install these fake packages inadvertently deploy the Oyster remote-access malware, granting threat actors persistent access to the host. The campaign has been observed using digitally signed yet malicious installers, certificate abuse, and living-off-the-land (LOTL) execution methods such as rundll32.exe to evade detection. Oyster enables remote command execution, file transfer, and follow-on payload delivery, allowing attackers to carry out deeper intrusions and credential compromises across collaboration and enterprise environments.
Technical Details
Attack Type: Malware distribution via malvertising and trojanized installers.
Severity: High.
Delivery Method: Malicious or compromised online advertisements redirect victims to spoofed Microsoft Teams download sites. These sites deliver a signed but counterfeit MSTeamsSetup.exe installer that drops the Oyster payload.
Techniques Observed:
Installer Behavior: The fake installer drops CaptureService.dll into %APPDATA%\Roaming and creates a scheduled task named “CaptureService”, executed every ~11 minutes via rundll32.exe.
Backdoor Capabilities: Oyster functions as a modular RAT, enabling remote command execution, file transfer, system profiling, and retrieval of follow-on modules.
Certificate Abuse: Samples were code-signed using compromised certificates from “4th State Oy” and “NRM NETWORK RISK MANAGEMENT INC.”
Infrastructure Characteristics: Rapid rotation of delivery and C2 domains, occasionally fronted by benign or CDN-hosted components, complicates takedown and signature-based blocking.
Impact
Executing the trojanized installer installs Oyster, providing attackers with persistent remote access.
Enables command execution, file exfiltration, and deployment of additional payloads.
Allows lateral movement, reconnaissance, and potential credential harvesting through follow-on modules.
Abuse of the Microsoft Teams brand and malvertising channels increases user trust exploitation and potential enterprise exposure.
Persistence via scheduled tasks supports long-term unauthorized presence within affected environments.
Detection Method
Security teams should monitor for the following:
Network Indicators:
Web redirects from ad networks to newly registered domains offering Teams installers.
Outbound traffic to suspicious C2 infrastructure following Teams installation events.
File and Process Artifacts:
Creation of CaptureService.dll within %APPDATA%\Roaming.
New scheduled task named CaptureService.
Execution of rundll32.exe shortly after installer launch.
File Integrity: Executable installers placed in user download directories not matching official Microsoft signatures.
Certificate Monitoring: Unexpected software signed by “4th State Oy” or “NRM NETWORK RISK MANAGEMENT INC.”
Behavioral Detection: Child process spawning, persistence creation, and periodic network callbacks post-installation.
Indicators of Compromise
Type | Indicator | Description |
IP Address | 45.66.248[.]112 54.39.83[.]187 185.28.119[.]228 | Malicious IPs observed |
File Name |
MSTeamsSetup.exe CaptureService.dll Ads.dll
| malicious installer filename. dropped DLL (located under %APPDATA%\Roaming\…). |
File Hash (SHA256) | 9dc86863e3188912c3816e8ba21eda939107b8823f1afc190c466a7d5ca708d1 ac5065a351313cc522ab6004b98578a2704d2f636fc2ca78764ab239f4f594a3 d47f28bf33f5f6ee348f465aabbfff606a0feddb1fb4bd375b282ba1b818ce9a d46bd618ffe30edea56561462b50eb23feb4b253316e16008d99abb4b3d48a02 | Malicious File Hashes |
Domain | team[.]frywow[.]com teams-install[.]icu teams-install[.]top nickbush24[.]com techwisenetwork[.]com maddeehot[.]online server-na-qc2[.]farsafe[.]net | Primary C2 domain serving commands and payloads. |
Recommendations
Restrict Software Acquisition:
Direct users to download Microsoft Teams only from official Microsoft URLs (https://teams.microsoft.com/downloads) or corporate distribution portals.
Avoid clicking sponsored ads or search-engine links for software installers.
Containment and Response:
If a non-Microsoft Teams installer was executed, treat the system as compromised.
Isolate the endpoint, collect memory and disk images, and perform EDR/AV scans with updated signatures.
Preventive Controls:
Implement application allow-listing to permit only verified installers.
Block or sinkhole known delivery and C2 domains listed above.
Enforce execution policies restricting unsigned binaries for standard users.
Harden web and DNS filters to block malvertising and SEO-poisoned domains.
Monitoring & Telemetry:
Add detections for CaptureService.dll, scheduled task creation, and rundll32.exe loading from user profile paths.
Watch for executables signed by known abused certificates.
Post-Incident Actions:
Rotate credentials used on affected hosts.
Review network logs for connections to Oyster C2 infrastructure within the preceding 30 days.
Conclusion
The Oyster malvertising campaign highlights how ad-based distribution methods can bypass traditional phishing defenses. By misusing trusted brands, valid certificates, and LOTL execution, threat actors achieve high infection rates and long-term persistence. We urge organizations to treat any Teams installer from non-Microsoft sources as high risk, enforce strong application control policies, and continuously monitor for persistence indicators such as CaptureService. Rapid detection, isolation, and credential rotation are essential to minimize Oyster’s impact post-compromise.