Automated attack shows how cybercriminals are weaponizing trusted software and certificates.

A new cyberattack has shown how quickly hackers can exploit trusted tools to infiltrate corporate systems. Researchers at Conscia uncovered a campaign using a fake Microsoft Teams installer to deliver the Oyster backdoor malware, also known as Broomstick or CleanUpLoader.

The attack began on September 25, 2025, when an employee searched for Microsoft Teams on Bing. Within seconds, the user was redirected through a malicious domain to a spoofed download page, where a file named MSTeamsSetup.exe was quietly downloaded. About an hour later, the file was executed, appearing legitimate but actually containing malware.

The campaign used short-lived, valid code-signing certificates, making the malicious installer appear trustworthy. Certificates issued by entities like “KUTTANADAN CREATIONS INC.” were valid for just two days, helping attackers bypass signature-based security checks.

Fortunately, Microsoft Defender’s Attack Surface Reduction (ASR) rules blocked the malware from connecting to its command-and-control server, preventing potential data theft, ransomware deployment, and network compromise.

“This incident highlights the growing sophistication of cyberattacks. Hackers are leveraging legitimate software and certificate trust, making rapid automated attacks harder to detect,” Conscia researchers noted.

The case underscores the need for advanced, behavior-based security measures. Organizations are urged to rely on more than traditional signature-based defenses, as attackers increasingly weaponize trusted tools and certificates to gain quick, persistent access to systems.