EtherRAT Unleashed: How Fake Microsoft Teams IT Calls Are Turning Employees into Their Own Worst Security Threat

Listen to this Post

Featured Image

Introduction

Cybercriminals are constantly refining their attack strategies, and one of the latest campaigns demonstrates just how dangerous human trust can become when combined with legitimate business tools. Instead of relying solely on malicious attachments or exploit kits, attackers are now blending phishing emails with convincing Microsoft Teams conversations to manipulate employees into voluntarily handing over control of their computers.

The latest campaign delivers EtherRAT, an advanced remote access trojan (RAT) that uses blockchain technology to hide its command-and-control infrastructure. By abusing trusted enterprise platforms such as Microsoft Teams, ServiceNow, AnyDesk, HopToDesk, and even Node.js, threat actors are successfully bypassing traditional security defenses while making their activity appear like routine IT support operations. The campaign highlights an alarming shift toward identity-driven attacks where psychology becomes more powerful than software vulnerabilities.

Attack Overview

Researchers have uncovered a sophisticated cyberattack that combines email phishing, Microsoft Teams social engineering, legitimate administrative tools, and blockchain-based malware infrastructure to infect corporate environments with EtherRAT.

Unlike conventional malware campaigns that depend on users downloading suspicious files, this operation focuses on manipulating employees into believing they are communicating with their organization’s IT department. Once trust has been established, victims unknowingly install legitimate remote administration software that gives attackers unrestricted access to corporate devices.

This strategy significantly reduces the likelihood of triggering antivirus alerts because most of the software involved is completely legitimate.

Stage One: The Phishing Email

The attack begins with an email carefully crafted to resemble an internal corporate announcement.

Victims receive an HTML email titled “Employee Survey Results,” containing what appears to be an innocent PDF attachment. The document itself is not the primary threat—it simply prepares the victim psychologically for what comes next.

Instead of immediately deploying malware, attackers use the email to establish credibility and create the expectation that someone from IT may contact them shortly.

This subtle psychological preparation dramatically increases the success rate of the next stage.

Stage Two: Fake Microsoft Teams Support Call

Only a short time after opening the PDF, the employee receives an incoming Microsoft Teams call.

The caller appears to be a company system administrator using the account:

[email protected][.]com

Although Microsoft Teams labels the account as an “External unfamiliar” user, many employees ignore or misunderstand this warning.

The attacker confidently impersonates IT support, claims there is an issue requiring immediate assistance, and convinces the employee to accept remote screen control.

This is where the real compromise begins.

Remote Control Hijacks the Computer

Using Microsoft Teams’ built-in screen sharing and remote control functionality, the attacker requests permission to control the victim’s desktop.

Once approved, forensic investigators later identify the CtrlVirtualCursorWin artifact inside user session logs.

This evidence confirms that the attacker—not the employee—actively controlled the compromised workstation.

Because the victim willingly granted access, many traditional security solutions fail to recognize the activity as malicious.

Installing Legitimate Remote Management Tools

Rather than deploying malware immediately, attackers first establish long-term remote access.

The victim is instructed to download legitimate remote desktop applications including:

HopToDesk

AnyDesk

Both programs are widely used in enterprise environments, making them unlikely to trigger security alerts.

Once installed, attackers possess persistent remote access even if the Microsoft Teams session ends.

This greatly extends their operational capabilities.

Malware Deployment Begins

With complete control of the system, attackers launch Windows Command Prompt.

Using a simple curl command, they retrieve a malicious Windows Installer package named:

v7.msi

The installer originates from a remote server controlled by the attackers.

Although the command appears relatively harmless, it begins an advanced multi-stage infection chain specifically designed to avoid endpoint detection.

Living-Off-the-Land Techniques

Security researchers discovered that the installer functions as a sophisticated JavaScript-based loader.

Rather than including every malicious component inside one executable, it downloads and assembles the malware gradually.

The installer places several files inside the Windows Local Application Data directory, including:

Batch scripts

Obfuscated JavaScript

Encrypted binary payloads

This modular approach makes forensic analysis significantly more difficult.

Node.js Becomes an Unexpected Weapon

One particularly clever aspect of the campaign involves the download of a legitimate Node.js Runtime version 18.20.5.

Instead of executing native malware directly, attackers leverage Node.js to run malicious JavaScript components.

Since Node.js is trusted software used by developers worldwide, its presence rarely raises immediate suspicion inside corporate environments.

This technique enables attackers to blend malicious execution with ordinary developer software.

Advanced Encryption Protects EtherRAT

The JavaScript loader performs a sophisticated decryption routine before revealing the final malware.

Researchers observed a custom 24-byte subtraction cipher that decrypts an encrypted binary blob through multiple stages.

Only after several layers of decryption does the final payload emerge.

That payload is EtherRAT.

This layered architecture complicates reverse engineering while reducing opportunities for security software to inspect the malware.

EtherRAT Uses Blockchain Infrastructure

EtherRAT introduces one of the

Instead of relying entirely on traditional command-and-control servers, the malware retrieves its communication endpoints from an Ethereum smart contract.

This blockchain-anchored architecture makes infrastructure takedowns substantially more difficult because blockchain records cannot simply be deleted by hosting providers.

If blockchain communication fails, EtherRAT automatically switches to a built-in fallback domain to ensure uninterrupted communication with attackers.

This redundancy dramatically improves operational resilience.

Persistence Inside Windows

After installation, EtherRAT quietly modifies the Windows Registry.

It creates persistence using the OneDriveSetup Run key, ensuring that the malware automatically launches every time Windows starts.

Even after a reboot, the attacker retains access to the infected machine.

Such persistence mechanisms are commonly used by advanced persistent threat groups because they allow long-term espionage and credential theft.

ServiceNow Abuse Expands the Attack

One of the most alarming discoveries involves attacker behavior after gaining remote access.

Rather than immediately stealing data, the attackers access the organization’s internal ServiceNow portal.

They create legitimate IT support tickets requesting access to additional enterprise applications.

This tactic allows attackers to blend malicious activity with normal business operations while expanding internal privileges without triggering immediate suspicion.

It demonstrates that modern cybercriminals increasingly exploit business workflows instead of relying exclusively on technical exploits.

Continuous Malware Development

Researchers also uncovered an exposed directory hosting multiple versions of the malware.

Versions one through nine were publicly accessible, revealing an active development cycle that continued through late June 2026.

This suggests the operators are rapidly improving EtherRAT by testing new capabilities and refining evasion techniques.

The malware family remains under active development, indicating that future variants will likely become even more sophisticated.

Deep Analysis

Command: Analyze the Initial Social Engineering Strategy

The campaign proves that social engineering remains more effective than exploiting software vulnerabilities.

Attackers carefully establish trust before requesting remote access, significantly increasing success rates.

Employees naturally trust familiar collaboration platforms such as Microsoft Teams.

This trust becomes the

Traditional phishing awareness alone is no longer sufficient.

Organizations must educate employees about voice-based impersonation attacks.

Cross-platform attacks combining email and video conferencing are becoming increasingly common.

Future awareness programs must include live communication scenarios.

Identity verification should become mandatory for IT support interactions.

Zero Trust principles must extend to human communication.

Command: Examine the Technical Infection Chain

EtherRAT demonstrates a modular architecture that minimizes detection opportunities.

Each stage performs a limited function before passing execution to the next component.

Using legitimate software like Node.js, AnyDesk, and HopToDesk significantly reduces behavioral anomalies.

Living-off-the-land techniques continue replacing traditional malware deployment.

Layered encryption delays reverse engineering efforts.

The blockchain infrastructure further complicates disruption.

Each design decision reflects careful operational planning.

Rather than overwhelming systems with malicious code, attackers hide within trusted applications.

This approach represents the future direction of enterprise malware.

Command: Evaluate Enterprise Security Implications

Organizations relying heavily on Microsoft Teams should reevaluate external communication policies.

External Teams calls require stronger verification procedures.

Remote control permissions should be tightly restricted.

Remote administration software installations should require administrative approval.

Security monitoring should correlate email, Teams activity, registry modifications, and command-line execution simultaneously.

Behavioral analytics will become increasingly important.

Identity validation must become part of every IT support workflow.

Business applications like ServiceNow should also monitor unusual ticket creation patterns.

Cybersecurity must increasingly focus on human behavior rather than malware signatures alone.

What Undercode Say:

The EtherRAT campaign is one of the clearest examples of how modern cybercriminals are evolving beyond traditional malware delivery methods. Instead of attempting to defeat antivirus software directly, attackers are defeating human psychology.

The use of Microsoft Teams is particularly concerning because collaboration platforms have become trusted workplace environments. Employees rarely expect malicious behavior inside applications they use every day.

Another major innovation is the use of blockchain as command-and-control infrastructure. Traditional malware often fails once servers are seized, but blockchain-based communication offers resilience that defenders cannot easily eliminate.

The abuse of legitimate software is equally significant. By installing trusted applications such as Node.js, AnyDesk, and HopToDesk, attackers reduce the number of obvious indicators of compromise.

Perhaps the most dangerous element is the

This level of operational discipline suggests experienced threat actors rather than opportunistic criminals.

Organizations must shift from signature-based defenses toward identity verification, behavioral monitoring, and Zero Trust security models.

Every unexpected Teams call requesting remote access should be treated as suspicious until independently verified.

Security awareness training must evolve beyond email phishing simulations and include live voice, chat, and collaboration-platform impersonation exercises.

Defenders should also monitor legitimate administrative tools, not just malicious executables.

Blockchain-supported malware infrastructure will likely become increasingly common over the next several years.

Security vendors will need new techniques capable of identifying behavioral patterns instead of relying solely on infrastructure takedowns.

The campaign reinforces a fundamental cybersecurity lesson: the weakest security control is often human trust.

Companies that continue treating collaboration platforms as inherently safe may become the next victims.

✅ Fact: Microsoft Teams has previously been abused in real-world social engineering campaigns because trusted collaboration platforms can increase victim confidence.

✅ Fact: Living-off-the-land techniques that leverage legitimate software such as remote administration tools and scripting environments are widely documented and remain difficult to detect.

✅ Fact: Blockchain-based command-and-control mechanisms have been demonstrated in malware research and provide attackers with infrastructure resilience compared to traditional centralized servers.

Prediction

(+1) Organizations will increasingly deploy AI-powered identity verification and stricter approval workflows for remote support sessions, significantly reducing the success of fake IT support attacks.

(-1) Cybercriminal groups are likely to expand this tactic beyond Microsoft Teams, targeting platforms such as Slack, Zoom, Google Meet, and other enterprise collaboration services while further enhancing blockchain-backed malware to resist disruption.

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube