Fake IT bods on Microsoft Teams coax workers into installing malware


Cybercriminals are using fake IT support calls on Microsoft Teams to persuade employees to surrender control of their PCs before installing the EtherRAT remote access trojan, according to researchers at Palo Alto Networks’ Unit 42.

Victims receive a phishing email disguised as an employee survey before a follow-up Microsoft Teams call from someone claiming to be IT support. During the call, the attacker persuades the target to hand over remote control and install legitimate remote administration tools such as HopToDesk or AnyDesk. An MSI package is then downloaded, which installs the EtherRAT malware.

Read more…
Source:  The Register


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Beware of the license manager: how a Schneider Electric software vulnerability puts industrial facilities at risk

    June 26, 2026

    The CVE-2024-2658 vulnerability was discovered in 2024 within the FlexNet Publisher component of the Schneider Electric Floating License Manager. This software handles license management across various Schneider Electric products used for comprehensive industrial automation ranging from PLC programming to centralized control room implementation. This vulnerability is a CWE-427: Uncontrolled Search Path Element issue. It stems from a system ...

  • Polymarket says hackers stole users’ funds

    June 25, 2026

    Prediction market giant Polymarket confirmed that hackers stole funds from an unspecified number of users after a third-party breach. In an X post on Thursday, Polymarket said that a compromise at a third-party vendor allowed hackers to inject malicious code into its website “for some users.” The company said it has “contained” the incident and is ...

  • Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs

    June 25, 2026

    A new self-destructing backdoor called Mistic used in intrusions since April appears to be linked to a criminal gang that compromises corporate networks and then sells that access to ransomware groups, according to security researchers. This backdoor, also tracked as MLTBackdoor, was first documented by Zscaler earlier this month, with the security shop suggesting the novel malware is ...

  • Update Chrome to patch critical browser security flaws

    June 25, 2026

    Google released a security update for Chrome that fixes 18 vulnerabilities, including four rated Critical. There is no indication that any of these newly patched bugs are being actively exploited in the wild. The stable channel has been updated to 149.0.7827.196/197 for Windows and Mac and 149.0.7827.196 for Linux. The update will roll out over the coming days ...

  • Almost half of ransomware victims have data stolen before they can even detect an intrusion

    June 25, 2026

    Criminals are getting better at hiding within their victims’ infrastructure, lurking and stealing files without triggering any alarms whatsoever. Earlier today, network detection and response experts ExtraHop released the “Global Threat Landscape Report”, based on a survey of more than 1,800 IT and security leaders worldwide. In it, it is said that roughly half (49%) of ...

  • Global cyber strike disrupts SocGholish, Amadey, and StealC malware networks

    June 24, 2026

    Europol together with partners from across the globe today announces a landmark blow to cybercriminal networks as part of Operation Endgame, a sweeping international operation targeting the criminal infrastructure behind ransomware and malware like SocGholish, Amadey, and StealC. In coordinated actions over the past two weeks, key components of these malicious toolkits were dismantled as ...