Microsoft Teams impersonation calls used to deliver EtherRAT malware

Security researchers say attackers are abusing Microsoft Teams voice calls to pose as internal IT staff and convince employees to install remote-access software, a tactic that can end with the EtherRA...

Security researchers say attackers are abusing Microsoft Teams voice calls to pose as internal IT staff and convince employees to install remote-access software, a tactic that can end with the EtherRAT malware being deployed on corporate systems.

The campaign, described by Palo Alto Networks Unit 42, combines several familiar tradecraft elements: a phishing email, a fake helpdesk call, legitimate remote-management tools, and a custom malware loader. The initial lure is an email that references an employee survey and includes a malicious PDF. After the document is opened, the target receives a Teams call from an external account claiming to be a system administrator.

Researchers noted that the caller appeared with an external-user warning in Teams, suggesting the account belonged to a different Microsoft 365 tenant. In the activity examined by Unit 42, the attacker used an account named helpdesk@Progressive936.onmicrosoft[.]com while pretending to assist the victim.

How the intrusion unfolds

Once the target is persuaded to share control through Teams screen-sharing, the attacker directs the user to install legitimate remote-access utilities such as HopToDesk and AnyDesk. That step gives the attacker hands-on access to the machine while helping the session look routine.

From there, the adversary downloads a malicious MSI package from an external site. The installer functions as a loader that retrieves a Node.js runtime, decrypts embedded components, and launches EtherRAT. The malware is written in Node.js and is designed to provide broad control over infected systems, including command execution, file manipulation, persistence, and data theft.

Unit 42 also found evidence that the malware infrastructure is being maintained actively, including multiple installer versions stored in an open directory. EtherRAT has previously appeared in state-linked activity tied to exploitation of the React2Shell flaw, and it has since been reused by other threat actors.

The findings follow a broader trend of attackers exploiting collaboration platforms to gain a foothold in organizations. Microsoft has recently introduced additional warnings for external Teams contacts and new controls intended to reduce the risk of impersonation and unauthorized access.

For defenders, the campaign is another reminder that social engineering and legitimate admin tools can be combined to bypass traditional security boundaries. Training users to verify unexpected support requests through separate channels remains an important layer of defense.