Fake IT support calls on Microsoft Teams push EtherRAT malware
ID: 36e72f87-ec68-5166-a103-3556e747788b
STIX ID: report--36e72f87-ec68-5166-a103-3556e747788b
Feed Name: Bleeping Computer
Threat actors are conducting a targeted campaign that begins with phishing emails containing a malicious PDF and follows up with Microsoft Teams voice calls impersonating IT staff to convince employees to grant remote control and install HopToDesk/AnyDesk. Attackers then deploy a malicious MSI (e.g., v7.msi hosted on camorreado.click) that installs a Node.js runtime and loads EtherRAT, a cross-platform RAT that supports command execution, data theft, persistence, lateral movement, and retrieves active C2 via Ethereum smart contracts; Unit 42 observed multiple installer versions (v1–v9), indicating active development.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
