Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search
Red Hot Cyber Academy

Fake Microsoft Teams installer! One-time certificates and a backdoor in the download

Antonio Piazzolla : 29 September 2025 07:25

In recent days, a malvertising campaign targeting business users trying to download Microsoft Teams has been discovered. At first glance, the attack seems trivial: a sponsored ad leads to a download page, and the user downloads a file called MSTeamsSetup.exe and runs it. But the details make all the difference, and it’s precisely these details that make the operation so insidious.

The file isn’t a regular malicious executable; it’s digitally signed . For many, this signifies trustworthiness. In fact, attackers have found a way to exploit trust in digital signatures to their advantage: they use “disposable” certificates , valid for only a few hours or days, just long enough to distribute the malware and infect systems before the signature is invalidated or flagged as suspicious. This fast, automated approach reduces the chance that reputation-based security controls will have time to react.

The chain of compromise, step by step

The entire attack, as analyzed by Conscia researchers, can be seen as a compromise chain composed of distinct but closely linked phases.

  1. From announcement to download
    It all starts with a sponsored ad or a tampered link in search engine results. The user clicks and is redirected to a sequence of redirects (e.g., team.frywow[.]com → teams-install[.]icu), until they reach the page offering the fake installer. At this stage, suspicious signs are already present: anomalous URLs, domains with rare TLDs like .icu, multiple redirects.
  2. The illusion of the signed file
    The user downloads MSTeamsSetup.exe to the Downloads folder and runs it. At first glance, the file appears legitimate because it’s digitally signed. But upon closer inspection, the certificate was issued by an unseen entity and has a ridiculously short validity period, often less than 72 hours. This is the first real warning sign.
  3. The loader that leads the way
    Once launched, the installer doesn’t do what it promises. Instead, it runs a loader that downloads and places additional components, often in folders like %APPDATA%MicrosoftTeams or %TEMP%. To ensure that the malicious code is reactivated even upon reboot, registry keys (HKCU…Run) or scheduled tasks with reassuring names like TeamsUpdate are created. These are small details, but when observed in a corporate environment, they can make the difference between a false alarm and a real compromise.
  4. Evasion and communication with C2
    To evade detection, the malware exploits tools already present in Windows: PowerShell with encoded commands, rundll32, and regsvr32. These tools, used in suspicious contexts, allow code to be executed without attracting too much attention. Immediately afterward, the loader attempts to contact the command and control server—for example, nickbush24[.]com—using HTTPS requests that mimic real browser traffic. This traffic to new or obscure domains is another important indicator.

Signs you shouldn’t ignore

Each phase leaves observable traces that can be detected if you know what to look for:

  • A certificate valid for less than 72 hours, issued by an unknown entity.
  • Registry keys or scheduled tasks with names related to “update” or “Teams”.
  • PowerShell commands with -EncodedCommand or misuse of rundll32/regsvr32.
  • Outbound connections to domains with rare or recently registered TLDs.

It’s not a single signal that makes the difference, but the combination: if at least two or three of these elements occur together, it is very likely that you are dealing with this specific malicious chain.

How to defend yourself in practice

To reduce risks, it’s essential to act on multiple levels. Some concrete measures:

  • Strengthen ASR rules in Microsoft Defender, especially those that prevent the execution of files downloaded from the web and the launch of suspicious processes from Office applications or browsers.
  • Monitor certificates : Automatically report binaries signed by unrecognized entities or with certificates that are only valid for a few days.
  • Integrate threat intelligence feeds to identify connections to newly registered or low-reputation domains.

Educate users : Explain to download Teams only from the official Microsoft portal and to be wary of sponsored ads in search engines.

Finally, having a ready incident response playbook is essential: isolate the endpoint, collect evidence (hashes, registry keys, scheduled tasks), verify network connections, and immediately rotate compromised credentials.

Because it’s a different attack than usual

What makes this campaign particularly dangerous isn’t so much its technical complexity, but its speed . Attackers have learned to automate the lifecycle: they create a certificate, register a domain, distribute the file, collect data, and change everything again—often within a few hours.

For defenders, this means they can no longer rely solely on delayed threat feeds. They need real-time telemetry , behavioral rules, and automated response capabilities. It’s a race against time, and the speed of the SOC becomes the deciding factor.

Antonio Piazzolla
IT Infrastructure & Security Manager with more than 20 years of experience in complex business environments. In the Casillo Group, he deals with business continuity, security and innovation. Microsoft, VMware, Cisco and ITIL certified.

Lista degli articoli