Cybersecurity researchers are raising the alarm over a malvertising campaign that is targeting Microsoft Teams.
The campaign leverages the Oyster malware, SEO poisoning, and paid advertisements to intercept users searching for legitimate Teams downloads.
This method of attack represents a concerning evolution in how cybercriminals breach corporate networks, moving beyond traditional email phishing to exploit the software acquisition process itself.
In cybersecurity, an informed and cyber-aware staff is one of the most effective defenses. This article examines what the Oyster malware is, how this campaign operates, and what organizations can do to defend themselves against this emerging threat.
Understanding the Oyster Backdoor
Oyster, also tracked under the aliases Broomstick and CleanUpLoader, first emerged in mid-2023 and has since established itself as a persistent threat in the cybercrime landscape.
As a backdoor malware, Oyster’s primary function is to provide attackers with remote access to compromised Windows devices, effectively creating a foothold within targeted networks that can be exploited for various malicious purposes.
Once installed, the malware grants attackers substantial control over infected systems. This includes the ability to execute arbitrary commands, deploy additional payloads, and facilitate file transfers between the compromised device and attacker-controlled infrastructure.
How the Attack Works
Malvertising is a cyberattack that embeds malware into online ads. When the ad is clicked, the malware can infect a user’s device or redirect them to malicious websites.
Blackpoint SOC found that this particular threat manifests through the promotion of a fake site that appears when visitors search Bing for “Teams download.”
When victims run the fake MSTeamsSetup.exe installer, it deploys a malicious DLL file named CaptureService.dll into the %APPDATA%\Roaming folder, a location commonly used by legitimate applications and less likely to raise suspicion.
The persistence mechanism employed by the malware reflects sophisticated tradecraft. Rather than using obvious registry modifications or startup folder entries, the installer creates a scheduled task named “CaptureService” configured to execute the malicious DLL every eleven minutes. This ensures the backdoor remains operational across system reboots while maintaining a low profile that can evade detection by security tools that do not comprehensively monitor task creation and execution.
By manipulating search engine rankings and purchasing ads, attackers position their malicious infrastructure directly in the path of users with high intent—people actively seeking to download and install software.
This makes users more likely to proceed without thorough verification, particularly in workplace environments where employees feel pressure to resolve technical needs quickly.
The similarity between this campaign and previous fake Google Chrome and Microsoft Teams installer operations suggests these tactics have become standardized within certain threat actor communities.
Defending Against Malvertising-Based Malware
As this form of attack continues to increase, implementing protection against campaigns like this is vital.
Effective defense requires a combination of technical controls, policy enforcement, and most importantly, user education tailored to the specific risks posed by malvertising and SEO poisoning.
For organizations heavily dependent on UC platforms, the stakes are particularly high as these tools often integrate deeply with corporate identity systems and data repositories.
IT administrators should prioritize downloading all software exclusively from verified vendor domains rather than relying on search engine results.
For Microsoft Teams specifically, this means navigating directly to microsoft.com and finding Teams there rather than searching for download links. Organizations should also consider implementing browser bookmarks or internal knowledge base articles with verified download links for commonly used software, reducing the likelihood that employees will turn to search engines.
Additionally, corporate networks can implement DNS filtering and web proxy solutions that whitelist trusted software distribution domains while blocking newly registered or suspicious ones often associated with malware.
Endpoint security solutions capable of behavioral monitoring provide crucial defense-in-depth against threats that bypass initial perimeter protections. Modern endpoint detection and response (EDR) platforms can identify suspicious task creation, unusual DLL loading patterns, and command-and-control communication attempts characteristic of backdoor malware.
For the Oyster campaign in particular, monitoring for DLL execution from user profile directories and unusual network connections from scheduled tasks could provide early warning signs.
Still, the best defense is awareness. Security training must evolve to address the specific tactics used in malvertising campaigns.
Employees need to understand that paid search ads do not inherently indicate legitimacy and that domain names should be carefully verified before downloading executables.
Because IT administrators are frequently targeted due to their elevated privileges, they deserve specialized training on the tactics adversaries use to target their role—including fake software sites for IT tools.
For non-IT employees, organizations could establish policies requiring IT approval before installing remote access or UC software, creating an additional verification layer against social engineering attempts.
Finally, in organizations where restrictions would not hinder productivity, administrators can implement application control technologies that limit which executables can run on corporate systems.
Although this requires careful policy development to avoid business disruption, allowlisting approaches can effectively prevent unauthorized software installation even when users are deceived by sophisticated attacks.
