TheVortiq
Inteligencia Artificial

Teams Scams: Attackers Use Fake Support to Install EtherRAT Malware

Cybercriminals pose as IT technicians on Microsoft Teams to trick employees into deploying a remote access trojan that communicates via Ethereum smart contracts.

July 10, 2026 · 4 min read

A man in a black hoodie contemplating while using a smartphone, surrounded by digital screens.

TL;DR: Attackers use Microsoft Teams to pose as tech support and trick employees into installing EtherRAT, a cross-platform RAT that uses Ethereum smart contracts to hide its C2 server.

What happened?

A sophisticated cyberattack campaign is using Microsoft Teams as its primary vector to distribute the EtherRAT malware, according to a report published by Palo Alto Networks Unit 42 on July 7, 2026. Attackers combine email phishing with social engineering calls on Teams to trick employees from various organizations. The modus operandi begins with an email that mimics a legitimate workplace survey. Shortly after, the victim receives a Microsoft Teams call from an external account, identified with the 'External unfamiliar' label, indicating the contact comes from outside the organization and has no established trust relationship. The attacker poses as IT support staff and, during the call, convinces the employee to install legitimate remote control tools like HopToDesk or AnyDesk, supposedly to resolve a technical issue. Once the attacker has remote control, they download an MSI package that installs the EtherRAT trojan. According to Brian Janower, a Unit 42 researcher, Microsoft Teams audit logs confirm that the attacker initiated a cross-tenant chat from an account they controlled. This technique is not new, but its effectiveness lies in the trust employees place in corporate tools and the perceived authority of IT staff.

Why is it important?

EtherRAT is no ordinary malware; it is a remote access trojan (RAT) written in Node.js that operates on Windows, Linux, and macOS, giving it a broad reach. Its most innovative feature is the evasion of command-and-control (C2) communications. Instead of using a fixed IP address or domain, EtherRAT queries a smart contract on the Ethereum blockchain to obtain the active C2 server address. As a backup, it uses a conventional domain. This technique, known as 'blockchain-based C2,' makes blocking and detection by traditional security systems difficult, as the C2 address changes dynamically. The malware has previously been linked to the exploitation of the React2Shell vulnerability (CVE-2022-47966) and has appeared in campaigns by multiple threat groups, suggesting it is a shared or sold tool on the black market. Unit 42 also discovered an open directory containing versions 1 through 9 of EtherRAT, with samples updated as recently as June 26, 2026, indicating active development and constant evolution of the malware. This campaign is the latest in a growing trend of abusing enterprise collaboration platforms. Last month, researchers found that the DragonForce group masked C2 traffic as legitimate Teams communications after compromising a network. In this case, Teams is used in an early stage of the intrusion, leveraging social engineering to bypass perimeter defenses.

Consequences and lessons

This campaign demonstrates how attackers are exploiting the inherent trust in enterprise collaboration tools. By impersonating IT staff, they get employees themselves to open the door to the attack, bypassing firewalls and intrusion detection systems. The consequences for companies can be severe: data theft, ransomware installation, persistent network access, and reputational damage. To mitigate these risks, organizations should implement strict policies on the use of external accounts in Teams, restricting incoming communications from untrusted sources. Additionally, it is crucial to train employees to identify tech support scams and verify the identity of callers through alternative channels, such as a known phone number or a support ticket. A useful forensic artifact, according to Unit 42, is that Teams creates files with the prefix 'CtrlVirtualCursorWin_*' during remote control sessions, which can serve as an indicator of compromise (IOC) for security teams. Monitoring remote control sessions and using security solutions that detect anomalous behaviors, such as the installation of unauthorized remote access tools, are additional recommended measures.

What should readers know?

  • Never grant remote control to someone who calls without prior notice or without verifying their identity through another channel, such as an internal email or a call to a known number.
  • Be wary of email surveys followed by unsolicited Teams calls. This combination is a red flag.
  • External accounts in Teams show the 'External unfamiliar' label: this is a warning sign that the contact is not trusted.
  • EtherRAT is cross-platform and uses blockchain to evade C2 detection, making it especially dangerous.
  • Keep software updated and use security solutions that detect anomalous behaviors, such as execution of unauthorized Node.js scripts or connections to smart contracts.

In summary, this campaign underscores the need for a security strategy that combines technology, policies, and continuous training. Attackers are constantly evolving, and companies must do the same to protect themselves.

Keep reading