Fake IT Support Calls on Microsoft Teams Push EtherRAT Malware
What happened
Threat actors are abusing Microsoft Teams voice calls to impersonate corporate IT support staff and trick employees into installing EtherRAT malware. The campaign, reported by Palo Alto Networks’ Unit 42, begins with a phishing email using an “Employee Survey” lure and a malicious PDF attachment. Shortly after the victim opens the document, they receive a Microsoft Teams voice call from an external account posing as a “System Administrator.”
During the Teams session, the attacker convinces the victim to grant remote control through Microsoft Teams’ built-in screen-sharing feature. Researchers observed the call displaying Microsoft’s “External unfamiliar” label, meaning the caller came from a different Microsoft 365 tenant. Audit logs showed the attacker initiated the external chat using an account styled as helpdesk support while pretending to be corporate IT.
After gaining control, the attacker guided the victim into installing legitimate remote-access tools, including HopToDesk and AnyDesk. The attacker then downloaded and executed a malicious MSI installer from an external domain. That installer acted as a malware loader, downloading a legitimate Node.js runtime, decrypting embedded payloads, and launching EtherRAT.
EtherRAT is a cross-platform Node.js remote access trojan that gives attackers control over compromised systems. It can execute commands, manipulate files, steal data, and maintain persistence. It also uses Ethereum smart contracts to retrieve its active command-and-control server, making the infrastructure harder to disrupt. Unit 42 found multiple versions of the malware installer, suggesting the campaign remains under active development.
Who is affected
Organizations using Microsoft Teams are directly affected, especially if they allow external chats, calls, or meetings from unfamiliar tenants.
Employees are at risk if they can receive external Teams calls, grant screen-sharing control, or install remote-access tools without approval. Help desk and IT support impersonation makes the campaign especially dangerous because the attacker’s instructions may appear legitimate during a live call.
Windows environments may face immediate risk from the observed MSI-based infection chain, while the broader EtherRAT threat is relevant across platforms because the malware is written in Node.js.
Why CISOs should care
This campaign shows how attackers are moving beyond email-only phishing into live collaboration abuse. A Teams call from someone posing as IT support can create pressure, urgency, and trust in a way that static phishing emails often cannot.
For CISOs, the remote-control step is critical. Once a victim shares control through Teams, the attacker can walk them through installing legitimate tools such as AnyDesk or HopToDesk, making malicious access look like normal troubleshooting.
The use of legitimate remote management tools also complicates detection. These tools may not be malicious by themselves, but in the wrong context they can give attackers persistent access and a path to deploy malware.
The Ethereum-based command-and-control mechanism adds another layer of resilience. By using smart contracts to retrieve the active C2 server, EtherRAT can make takedown and blocking efforts harder than malware tied to a single static domain.
3 practical actions
Restrict external Teams communication: The campaign relies on external Teams calls from attackers impersonating IT support. CISOs should limit external chats and calls where possible, enforce tenant allowlists, and educate users to treat “External unfamiliar” labels as a warning.
Control remote-access tool installation: Attackers guided victims into installing HopToDesk and AnyDesk. Security teams should allow only approved remote support tools, block unauthorized installers, and alert on new remote-access software appearing on user endpoints.
Hunt for EtherRAT delivery behavior: Defenders should review Teams audit logs, external chat activity, suspicious screen-sharing sessions, MSI downloads, Node.js runtime execution from unusual paths, and unexpected connections tied to Ethereum-based command-and-control lookup behavior.
More cybersecurity news:


