Hackers Exploit Weaponized Microsoft Teams Installer to Deploy Oyster Malware
Researchers have found that a malvertising campaign is distributing a weaponized Microsoft Teams installer to deliver the Oyster backdoor, also known as Broomstick or CleanUpLoader. The campaign begins with SEO poisoning of Bing search results, redirecting users through domains crafted to appear as legitimate Microsoft infrastructure and hosted on Cloudflare to exploit trusted reputation. The malicious MSTeamsSetup[.]exe file was digitally signed with a valid but short-lived certificate issued to KUTTANADAN CREATIONS INC., a technique that reflects an emerging trend of abusing legitimate code-signing services to bypass trust-based security checks while minimizing the window for revocation. Forensic analysis revealed that the full attack chain could unfold in under 15 seconds, rendering user detection virtually impossible. Once executed, the malware attempted to connect to a command-and-control server while using Windows utilities such as cleanmgr[.]exe to blend malicious behavior with legitimate processes. The deployed Oyster malware can establish persistent backdoor access, exfiltrate sensitive data, deploy additional payloads, and serve as a precursor to ransomware operations. Microsoft Defender’s Attack Surface Reduction (ASR) rules successfully blocked outbound connections in observed incidents, preventing compromise and demonstrating the importance of properly configured endpoint protection. This case highlights the broader trend of modern malvertising campaigns leveraging SEO poisoning, Cloudflare infrastructure, and weaponized short-lived certificates to evade signature-based defenses. Mitigation requires organizations to enforce ASR policies, implement certificate anomaly detection to flag executables signed with certificates valid for seven days or less, monitor for rapid redirects to newly registered domains, and detect abnormal process execution indicative of living-off-the-land techniques. Security teams should also educate users on the risks of malvertising and adopt defense-in-depth strategies, as attackers continue to refine methods that can compromise targets in under 15 seconds, from search to infection.
New ModStealer Evades Antivirus, Targets macOS Users to Steal Sensitive Data
Researchers have identified ModStealer, a newly emerging cross-platform malware that targets macOS, Windows, and Linux systems while evading traditional antivirus detection. The malware specifically targets developers and cryptocurrency users, two high-value groups with access to sensitive intellectual property and financial assets. ModStealer spreads through social engineering schemes, such as fake recruitment campaigns, where attackers impersonate legitimate companies to deliver malicious payloads. Its technical capabilities include compromising more than 50 browser extensions, harvesting cookies and saved credentials, monitoring clipboard contents for private keys or seed phrases, and capturing periodic screenshots of user activity. The malware maintains persistence by embedding itself as a LaunchAgent in macOS startup processes, utilizing Apple’s launchctl, and concealing payload files under benign names. The sophistication of ModStealer highlights its potential impact, with browser-based cryptocurrency wallets and development environments representing particularly lucrative targets for attackers. Its ability to evade detection suggests the use of advanced obfuscation techniques and possibly zero-day exploits, raising concerns about the resilience of Apple’s built-in security mechanisms. Mitigation requires developers to validate recruiter legitimacy through official channels, isolate untrusted code testing within disposable VMs, and maintain separate secure systems for sensitive work. Cryptocurrency users are advised to transition to hardware wallets, enforce multi-factor authentication, and validate transaction addresses on device screens. All users should regularly audit browser extensions, maintain up-to-date defenses, and adopt proactive network segmentation to reduce the impact of a compromise.
Update: Akira Ransomware Campaign Breaches MFA-Protected SonicWall VPNs
Researchers at ArcticWolf have found that Akira ransomware affiliates are continuing to exploit SonicWall SSL VPN devices, gaining access even when one-time password (OTP) multi-factor authentication is enabled. The campaign, which has been active since late July 2025, relies on credentials and OTP seeds that were likely stolen through an improper access control flaw. Once authenticated, attackers rapidly escalate their activity, typically beginning internal scanning within five minutes of login, using Impacket SMB session setup requests, SoftPerfect Network Scanner, and Advanced IP Scanner to map targets. They move laterally with tools like RDP, PsExec, and BloodHound while enumerating Active Directory via dsquery, SharpShares, and ldapdomaindump. Targeted Veeam Backup & Replication servers are a frequent focus, where custom PowerShell scripts extract MSSQL and PostgreSQL credentials, including DPAPI secrets, to compromise stored backups and domain accounts. The attackers also deploy persistence mechanisms, including creating fake administrator accounts (e.g., sqlbackup, veean) and installing remote management tools like AnyDesk, RustDesk, and Cloudflared tunnels for ongoing access. For defense evasion, Akira affiliates execute Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks, abusing Microsoft’s signed consent[.]exe to sideload malicious DLLs that load vulnerable drivers to disable endpoint security processes. Data staging and exfiltration are conducted using WinRAR, FileZilla, or rclone, with archives split into 3GB chunks before being transferred to the VPS infrastructure, followed by rapid ransomware deployment—often encrypting systems within hours. Affiliates employ a double extortion tactic, encrypting data and exfiltrating sensitive files for leverage. Mitigation requires organizations to reset all SSL VPN and Active Directory credentials tied to previously vulnerable SonicWall firmware, enforce monitoring of VPN logins from hosting ASNs, detect Impacket SMB activity as an early kill-chain indicator, and implement EDR rules to block unsigned or vulnerable drivers alongside strict controls over RMM and tunneling tools.
