Threat actors are abusing Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing the EtherRAT malware, giving attackers initial access to corporate networks.
The campaign, reported by Palo Alto Networks' Unit 42, combines phishing emails, Microsoft Teams voice calls, legitimate remote management tools, and a Node.js-based malware loader to compromise victims' computers.
According to a report by Unit 42 posted on GitHub, the attack begins with a phishing email containing an "Employee Survey" lure and a malicious PDF attachment.
Shortly after opening the document, the victim receives a Microsoft Teams voice call from an external account impersonating a "System Administrator."
The researchers observed the Teams session displaying the "External unfamiliar" label, indicating the caller belonged to a different Microsoft 365 tenant than the recipient. Audit logs showed the attacker initiated the external chat using the account [email protected][.]com while posing as IT support.
After convincing the victim to grant remote control via Microsoft Teams' built-in screen-sharing feature, the attacker guided them through installing legitimate remote-access tools, including HopToDesk and AnyDesk.
After establishing remote access, they downloaded and executed a malicious MSI installer (v7.msi) from camorreado[.]click. The MSI acts as a malware loader, downloading a legitimate Node.js runtime, decrypting embedded payloads, and ultimately launching EtherRAT.
EtherRAT is a cross-platform remote access trojan written in Node.js that gives attackers full control over compromised systems.
The malware can execute commands, manipulate files, steal data, and maintain persistence, while using Ethereum smart contracts to retrieve its active command-and-control (C2) server, making it harder to disrupt.
EtherRAT was previously used in state-sponsored attacks exploiting the React2Shell vulnerability and has since been adopted by numerous other threat actors.
... continue reading