A new cyberattack campaign uses Microsoft Teams chats to deliver malware to Windows PCs. Cybersecurity firm ReliaQuest discovered the attack, which began in March 2025. The Storm-1811 group, linked to the Black Basta ransomware, primarily targets the finance and professional services sectors. The attack relies on impersonating internal IT support staff using fraudulent Microsoft 365 accounts, such as “Technical Support,” to gain trust.
The attackers take advantage of low employee vigilance, especially targeting directors and vice presidents during late afternoons. In one of the more striking tactics, the attackers selectively target employees with female-sounding names, possibly exploiting social engineering vulnerabilities. Victims are lured into launching the Windows Quick Assist tool, allowing the attackers to deploy a persistence mechanism that ensures ongoing access to the system. This technique ensures the attackers can maintain control of compromised systems.
The most alarming part of the attack is the use of TypeLib Component Object Model (COM) hijacking, a technique not previously seen at this scale. By modifying Windows registry entries linked to Internet Explorer components, the attackers ensure that a remote script is executed whenever related processes, like “Explorer.exe,” run.
This remote script delivers the malware payload hosted on Google Drive, bypassing antivirus detection and making the attack harder to spot.
Once the malware is delivered, a highly obfuscated PowerShell backdoor is deployed. The backdoor communicates with attackers via Telegram, opening a persistent command-and-control channel. Research suggests the attackers initially distributed the malware through malicious Bing advertisements, and the campaign’s development and testing appear to be linked to Russia.
Experts recommend organizations restrict external communication on Microsoft Teams, monitor for suspicious activity, and strengthen Windows registry controls to defend against this evolving threat.
