Your IT guy calls on Teams asking you to install something. Don’t do it. It’s probably a scam.
Palo Alto Networks’ Unit 42 found a campaign where attackers impersonate corporate IT support on Microsoft Teams voice calls. Their goal is to trick employees into installing EtherRAT — a nasty remote access trojan that gives attackers full control over infected machines.
The attack starts simple: a phishing email with an “Employee Survey” PDF attachment. Shortly after you open it, you get a Teams call from an external account labeled “System Administrator.” The caller ID shows “External unfamiliar.” That’s a red flag.
The attacker talks you into sharing your screen via Teams’ built-in feature. Then they guide you through installing legitimate remote tools like HopToDesk or AnyDesk. Once they have remote access, they drop a malicious MSI installer that loads EtherRAT.
EtherRAT is written in Node.js. It can execute commands, steal files, and maintain persistence. The clever part? It uses Ethereum smart contracts to retrieve its C2 server address. That makes takedowns much harder.
Unit 42 found an open directory with multiple versions of the malware installer — v1 through v9. This campaign is actively being developed.
Microsoft has been adding protections. Teams now warns about external callers and chats. A new policy automatically puts suspected third-party bots into the meeting lobby. But the best defense is skeptical employees who don’t install software from unsolicited callers.
