Hackers Exploit Weaponized Microsoft Teams Installer to Deploy Oyster Malware

A sophisticated malvertising campaign has been targeting organizations through a weaponized Microsoft Teams installer that delivers the dangerous Oyster malware, according to a recent investigation by cybersecurity experts.

The attack demonstrates an alarming evolution in threat actor tactics, combining SEO poisoning, certificate abuse, and living-off-the-land techniques to evade traditional security measures.

The attack was first addressed on September 25, 2025, when Microsoft Defender’s Attack Surface Reduction (ASR) rules successfully blocked suspicious outbound connections from a newly executed file.

This critical intervention prevented what could have been a devastating breach, highlighting the importance of properly configured endpoint protection policies.

The investigation revealed a remarkably fast attack sequence, with victims being redirected from legitimate Bing searches to malicious infrastructure in just 11 seconds—a timeframe far too rapid for manual user interaction, indicating sophisticated automated redirect mechanisms.

The Attack Chain: From Search to Compromise

The threat actors employed ...