A sophisticated cyberattack campaign has emerged, leveraging Microsoft Teams chats to infiltrate Windows PCs with malware, according to a recent report by cybersecurity firm ReliaQuest.
The attack, which began surfacing in March 2025 and primarily targets the finance and professional services sectors, signals a dramatic evolution in tactics used by threat actors linked to the notorious “Storm-1811” group, known for deploying the Black Basta ransomware.
A New Twist on Familiar Phishing
Attackers initiate the breach by impersonating internal IT support staff via Microsoft Teams, using fraudulent Microsoft 365 accounts such as “Technical Support.”
.png
)
These chats are precisely timed—often during late afternoons when employees’ vigilance is lower—and are aimed at high-level targets like directors and vice presidents.
Strikingly, the campaign also appears to selectively target employees with female-sounding names, possibly exploiting perceived susceptibility to social engineering tricks.
Victims are coaxed into launching a remote support session using Windows’s built-in Quick Assist tool. Once inside, attackers deploy an advanced persistence mechanism to ensure ongoing access to the compromised system.
Novel TypeLib Hijacking: A First in the Wild
The most alarming aspect of the attack is the use of a previously unseen persistence technique: TypeLib Component Object Model (COM) hijacking.
The attackers modify Windows registry entries tied to Internet Explorer components so that every time a related process runs—such as “Explorer.exe” on system startup—a remote script is executed.
This script, hosted on Google Drive, delivers the final malware payload without arousing antivirus alarms.
“This is the first time we’ve observed TypeLib hijacking exploited at scale in the wild,” noted ReliaQuest researchers. “It’s a stealthy, persistent method that leverages legitimate Windows functionality, making it incredibly hard to detect and remove.”
A Stealthy and Adaptable Backdoor
Once delivered, the malware deploys a heavily obfuscated PowerShell backdoor. Encapsulated within JScript, it writes and executes evasive PowerShell code, bypassing common security controls.
Notably, it sends a unique identifier to the attackers via a Telegram bot, signaling successful infection and opening a persistent channel for command and control.
Researchers traced the malware’s iterations back to January 2025, finding early versions disseminated through malicious Bing advertisements, with development logs and testing traffic routed via Latvia—though evidence suggests the operators are likely based in Russian-speaking countries.
Experts warn organizations to restrict external communication on Microsoft Teams, harden Windows registry controls, and monitor for suspicious registry modifications and PowerShell activity.
“This campaign underlines the importance of vigilance even in trusted environments like Teams,” ReliaQuest advised.
As threat groups continuously refine their tactics, enterprises must stay one step ahead to protect critical assets from innovative cyber threats hiding in plain sight.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
