Saturday, April 26, 2025
HomeCyber Security NewsHackers Use Microsoft Teams Chats to Deliver Malware to Windows PCs

Hackers Use Microsoft Teams Chats to Deliver Malware to Windows PCs

Published on

SIEM as a Service

Follow Us on Google News

A sophisticated cyberattack campaign has emerged, leveraging Microsoft Teams chats to infiltrate Windows PCs with malware, according to a recent report by cybersecurity firm ReliaQuest.

The attack, which began surfacing in March 2025 and primarily targets the finance and professional services sectors, signals a dramatic evolution in tactics used by threat actors linked to the notorious “Storm-1811” group, known for deploying the Black Basta ransomware.

A New Twist on Familiar Phishing

Attackers initiate the breach by impersonating internal IT support staff via Microsoft Teams, using fraudulent Microsoft 365 accounts such as “Technical Support.”

- Advertisement - Google News

These chats are precisely timed—often during late afternoons when employees’ vigilance is lower—and are aimed at high-level targets like directors and vice presidents.

XSS users responding to TypeLib hijacking research
XSS users responding to TypeLib hijacking research

Strikingly, the campaign also appears to selectively target employees with female-sounding names, possibly exploiting perceived susceptibility to social engineering tricks.

Victims are coaxed into launching a remote support session using Windows’s built-in Quick Assist tool. Once inside, attackers deploy an advanced persistence mechanism to ensure ongoing access to the compromised system.

Novel TypeLib Hijacking: A First in the Wild

The most alarming aspect of the attack is the use of a previously unseen persistence technique: TypeLib Component Object Model (COM) hijacking.

Explorer.exe refencing the Internet Explorer COM object
Explorer.exe refencing the Internet Explorer COM object

The attackers modify Windows registry entries tied to Internet Explorer components so that every time a related process runs—such as “Explorer.exe” on system startup—a remote script is executed.

This script, hosted on Google Drive, delivers the final malware payload without arousing antivirus alarms.

Backdoor result on VirusTotal, showing low malicious scoring
Backdoor result on VirusTotal, showing low malicious scoring

“This is the first time we’ve observed TypeLib hijacking exploited at scale in the wild,” noted ReliaQuest researchers. “It’s a stealthy, persistent method that leverages legitimate Windows functionality, making it incredibly hard to detect and remove.”

A Stealthy and Adaptable Backdoor

Once delivered, the malware deploys a heavily obfuscated PowerShell backdoor. Encapsulated within JScript, it writes and executes evasive PowerShell code, bypassing common security controls.

Early versions of the malware seen in VirusTotal.
Early versions of the malware seen in VirusTotal.

Notably, it sends a unique identifier to the attackers via a Telegram bot, signaling successful infection and opening a persistent channel for command and control.

Researchers traced the malware’s iterations back to January 2025, finding early versions disseminated through malicious Bing advertisements, with development logs and testing traffic routed via Latvia—though evidence suggests the operators are likely based in Russian-speaking countries.

Experts warn organizations to restrict external communication on Microsoft Teams, harden Windows registry controls, and monitor for suspicious registry modifications and PowerShell activity.

“This campaign underlines the importance of vigilance even in trusted environments like Teams,” ReliaQuest advised.

As threat groups continuously refine their tactics, enterprises must stay one step ahead to protect critical assets from innovative cyber threats hiding in plain sight.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

How to Develop a Strong Security Culture – Advice for CISOs and CSOs

Developing a strong security culture is one of the most critical responsibilities for today’s...

DragonForce and Anubis Ransomware Gangs Launch New Affiliate Programs

Secureworks Counter Threat Unit (CTU) researchers have uncovered innovative strategies deployed by the DragonForce...

“Power Parasites” Phishing Campaign Targets Energy Firms and Major Brands

Silent Push Threat Analysts have uncovered a widespread phishing and scam operation dubbed "Power...

Threat Actors Register Over 26,000 Domains Imitating Brands to Deceive Users

Researchers from Unit 42 have uncovered a massive wave of SMS phishing, or "smishing,"...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

DragonForce and Anubis Ransomware Gangs Launch New Affiliate Programs

Secureworks Counter Threat Unit (CTU) researchers have uncovered innovative strategies deployed by the DragonForce...

“Power Parasites” Phishing Campaign Targets Energy Firms and Major Brands

Silent Push Threat Analysts have uncovered a widespread phishing and scam operation dubbed "Power...

Threat Actors Register Over 26,000 Domains Imitating Brands to Deceive Users

Researchers from Unit 42 have uncovered a massive wave of SMS phishing, or "smishing,"...