Fake Microsoft Teams and Google Meet Downloads Spread Oyster Backdoor

Cybercriminals are tricking users into downloading malware disguised as popular office tools like Microsoft Teams and Google Meet. This dangerous campaign is mainly targeting those in the financial world and has been active since mid-November 2025, according to a new report from cybersecurity experts at CyberProof.

The danger lies in what experts call SEO poisoning and malvertising. For your information, in SEO poisoning, attackers manipulate search results to make fake, dangerous websites appear at the top, whereas malvertising means using online advertisements to spread malware.

****The Bait: Fake Downloads****

CyberProof’s research, shared with Hackread.com, reveals that the attack starts with directing victims to malicious websites. Once a user clicks, they are tricked into downloading the Oyster backdoor (also called Broomstick and CleanUpLoader), first spotted in September 2023 by security experts at IBM.

Further investigation revealed that attackers are constantly changing their methods. For example, in July 2025, CyberProof researchers spotted Oyster being spread through ads that impersonated other popular IT tools, specifically PuTTY and WinSCP. This shows a pattern of targeting tools that users frequently search for.

****Recent Attack Details****

The current wave of attacks involves using fake download pages for online communication tools like Microsoft Teams and Google Meet to fool people into downloading malware, with reports suggesting it started earlier than mid-November.

Fake Google Meet site used in the Oyster backdoor campaign (Imaage via CyberProof)

As Hackread.com recently reported, research from Blackpoint Cyber detailing a new campaign where a fake site appeared when visitors searched for “Microsoft Teams download,” and delivered the Oyster backdoor.

To make their files look official, some fake installers, like MSTeamsSetup.exe, were code-signed with certificates from various companies, including LES LOGICIELS SYSTAMEX INC., Reach First Inc., and S.N. ADVANCED SEWERAGE SOLUTIONS LTD. Researchers noted that most of these certificates have since been revoked.

****A Lingering Threat****

The Oyster backdoor is a serious issue because it creates a hidden entry point into a computer system. When the fake installer is run, it drops a malicious file called AlphaSecurity.dll into a folder on your computer.

For persistence, the installer creates a scheduled task, also called ‘AlphaSecurity,’ which makes sure the malicious file runs every 18 minutes, keeping the backdoor active even after the computer is restarted.

While the current campaign started in November 2025, researchers noted that this wider threat, using a combination of SEO and malvertising, has been active since at least November 2024. They explained that many ransomware groups, like the well-known Rhysida, have reportedly used this same backdoor to attack corporate networks, making this a serious concern.

“Since there have been some ties with human-operated ransomware groups, we strongly believe and predict this threat cluster will continue to be active through 2026,” CyberProof researchers assessed.

To protect yourself, remember to always download software directly from the official developer’s website or a trusted app store and avoid clicking on search results or pop-up ads for downloads, as these are exactly how the Oyster backdoor spreads.