Cybersecurity researchers have uncovered a new attack campaign in which threat actors are impersonating corporate IT support staff through Microsoft Teams voice calls to trick employees into installing the EtherRAT remote access trojan (RAT), potentially giving attackers complete control over compromised corporate systems.
According to a report by Palo Alto Networks’ Unit 42, the attack begins with a phishing email carrying an “Employee Survey” lure and a malicious PDF attachment. Shortly after the victim opens the document, they receive a Microsoft Teams voice call from an external account posing as a company system administrator or IT support representative.
Researchers observed that the Teams interface displayed the “External unfamiliar” warning, indicating the caller belonged to a different Microsoft 365 tenant. Audit logs showed the attackers initiated contact using an external Microsoft 365 account while falsely claiming to be internal IT personnel.
During the call, the attackers allegedly persuade victims to grant remote control through Microsoft Teams’ built-in screen-sharing and remote-control features. Victims are then instructed to install legitimate remote administration tools such as HopToDesk and AnyDesk, allowing the attackers to establish persistent remote access.
After gaining access, the attackers reportedly download and execute a malicious MSI installer named “v7.msi.” The installer functions as a malware loader by downloading a legitimate Node.js runtime, decrypting embedded malicious components, and ultimately deploying EtherRAT onto the victim’s system.
EtherRAT is a cross-platform remote access trojan developed using Node.js. Once installed, it enables attackers to execute commands, manipulate files, steal sensitive information, maintain long-term persistence, and remotely control infected devices. Researchers noted that the malware retrieves its active command-and-control (C2) server through Ethereum smart contracts, making disruption and takedown efforts more difficult.
Unit 42 researchers also discovered an openly accessible directory on a malware distribution server containing multiple installer versions ranging from v1 to v9, suggesting that the malware campaign is under active development and continuous refinement.
The latest findings follow a series of recent attacks exploiting Microsoft Teams. Earlier campaigns targeted organisations in the financial and healthcare sectors by combining spam email attacks with fake IT support calls that convinced employees to launch remote assistance sessions, ultimately resulting in malware deployment and network compromise.
Microsoft has introduced additional security measures in response to the growing abuse of Teams. These include warnings that clearly identify external callers and chat participants, helping users recognise potential phishing and voice-phishing (vishing) attempts. The company has also introduced new administrator policies that automatically place suspected third-party bots into meeting lobbies until organisers manually approve their entry.
Cybersecurity experts advise organisations to train employees to verify the identity of IT personnel before granting remote access, remain cautious of unsolicited Microsoft Teams calls from external accounts, and avoid installing software or remote administration tools unless instructed through verified internal support channels.
