On September 25, 2025, an employee searched Bing for “Microsoft Teams.” Within 11 seconds, the search result redirected the user from bing.com → team.frywow.com → the malicious site teams-install.icu.
[INSERT SCREENSHOT: network‑redirect‑chain.png — show the redirect path in dev tools]
Once the user landed on teams-install.icu, they downloaded a file named MSTeamsSetup.exe. Though it appeared legitimate, it was in fact the Oyster backdoor. Approximately an hour later, when the file executed, Defender’s Attack Surface Reduction (ASR) rules intercepted its attempt to reach its command‑and‑control server at nickbush24.com.
Conscia investigators discovered this automated, multi-stage chain. The campaign used short‑lived code‑signing certificates (valid Sept 24–26) to bypass trust controls and obscure attribution.
how every stage was engineered
Poisoned search + malvertising redirect
Threat actors placed poisoned search entries or manipulated search ad rankings to funnel queries for “Teams” into a controlled redirect chain. The chain resolved in just seconds, suggesting automation.
The file MSTeamsSetup.exe masquerades as a legitimate Teams installer but carries the Oyster payload. The domain teams-install.icu was hosted behind Cloudflare to blur origin and evade attribution.
Code signing certificate abuse
The malicious binary carried a valid digital signature issued to “KUTTANADAN CREATIONS INC.” The certificate was valid only between September 24 and 26, 2025.
This very short lifespan reduces the window for revocation and detection. Attackers can cycle such certs frequently to avoid blacklisting.
The Oyster backdoor: capabilities & risk profile
Also known under aliases like Broomstick or CleanUpLoader, Oyster is a stealthy backdoor that supports:
-
Persistent access
-
Remote command execution
-
Communication with hardcoded C2 addresses
-
Data gathering and reconnaissance
Had ASR not blocked the C2 handshake, attackers could have moved laterally, exfiltrated data, or deployed additional payloads (like ransomware).
How it was stopped: defender controls that mattered
Microsoft Defender’s Attack Surface Reduction (ASR) rules identified and blocked the outgoing connection to nickbush24.com. That prevented the backdoor from fully activating.
Other key defenses that played a role:
-
Behavior‑based EDR/endpoint monitoring
-
DNS / network filtering to block the domains
-
Telemetry alerting on short lived certificate issuance
-
Executable signature checks with anomalous certificate validity
Indicators of Compromise (IoCs)
| Type | Value |
| Domains | teams-install.icu, team.frywow.com, nickbush24.com |
| File name | MSTeamsSetup.exe |
| Signer | KUTTANADAN CREATIONS INC. |
| Certificate validity | Sept 24 → Sept 26, 2025 |
| C2 address | nickbush24.com |
| Certificate type | Short‑lived, code signing |
Mitigation & remediation checklist
-
Enforce strict ASR rules and behavior-based controls
-
Block the listed malicious domains at DNS / firewall
-
Hunt for
MSTeamsSetup.exeacross endpoints; inspect its signature metadata -
Watch for anomalous certificate issuance (esp. short-lived ones)
-
Train users to confirm official Microsoft download links only
-
Monitor telemetry for unusual network calls from endpoints
-
Isolate affected systems and engage forensic analysis
Strategic takeaways for defenders
-
Attackers now weaponize certificate trust itself
-
Trust in signed binaries must be conditional
-
Automated redirect chains reduce dwell time for detection
-
Layered defenses (EDR + ASR + DNS filtering) are no longer optional
This campaign demonstrates a rising trend: adversaries blending malvertising, search manipulation, and certificate abuse to deliver malware at scale. Without behavior‑based defenses like ASR, such campaigns could slip past traditional antivirus.
Defenders must treat digitally signed binaries as potential risks, enforce robust endpoint controls, and monitor certificate issuance patterns closely.
FAQs (for voice search & SERP features)
Q: What is Oyster malware?
A: Oyster (also known as Broomstick or CleanUpLoader) is a stealthy backdoor capable of persistent access, command execution, and C2 communication.
Q: How do poisoned search results lead to malware?
A: Attackers inject or manipulate search listings so that victims click malicious links. These links redirect through controlled domains into fake download sites hosting malware.
Q: How does ASR block malware like Oyster?
A: Attack Surface Reduction rules monitor and block dangerous behavior (e.g. suspicious outbound connections, unusual file execution), preventing the backdoor from fully activating.
Q: What should a user do if they accidentally run a fake Teams installer?
A: Disconnect from network immediately, run endpoint scans, inspect file signature metadata, check for unusual processes or outbound connections, and report to your security/AP team.
