logo

Fake IT support calls on Microsoft Teams push EtherRAT malware

ID: 36e72f87-ec68-5166-a103-3556e747788b

STIX ID: report--36e72f87-ec68-5166-a103-3556e747788b

Feed Name: Bleeping Computer

Threat Score
75/100

Date Published: 2026-07-06

Date Updated: 2026-07-06

Author: Lawrence Abrams

...
...

Threat actors are conducting a targeted campaign that begins with phishing emails containing a malicious PDF and follows up with Microsoft Teams voice calls impersonating IT staff to convince employees to grant remote control and install HopToDesk/AnyDesk. Attackers then deploy a malicious MSI (e.g., v7.msi hosted on camorreado.click) that installs a Node.js runtime and loads EtherRAT, a cross-platform RAT that supports command execution, data theft, persistence, lateral movement, and retrieves active C2 via Ethereum smart contracts; Unit 42 observed multiple installer versions (v1–v9), indicating active development.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.