Back to Insights
Threats5 min read6 July 2026

Fake IT Support Calls on Microsoft Teams Are Dropping EtherRAT Malware on Corporate PCs

Palo Alto Networks' Unit 42 has documented an active attack chain where criminals call employees over Teams, impersonate the IT helpdesk, and install a Node.js trojan that hides its command server inside an Ethereum blockchain.

t2s
train2secure NewsdeskSecurity awareness team
A photorealistic editorial scene showing a corporate office worker at a modern desk looking uncertain at a laptop screen

Criminals posing as internal IT staff are cold-calling employees on Microsoft Teams, talking them into handing over remote control of their machines, and silently installing a blockchain-powered trojan called EtherRAT, according to research published by Palo Alto Networks' Unit 42.

How the Attack Unfolds

The sequence is deliberate and two-stage. First, the target receives a phishing email carrying a PDF labelled as an 'Employee Survey'. The document is bait. Its purpose is to prime the victim to expect follow-up contact.

Seconds or minutes later, their Teams client rings. A caller introduces himself as a 'System Administrator' investigating a technical issue linked to the survey. He sounds plausible, he is using the right app, and he appears to know something about the organisation. What the victim does not immediately register is the small 'External unfamiliar' label Teams attaches to the call. Unit 42 traced one attacker account back to helpdesk@Progressive936.onmicrosoft[.]com, a Microsoft 365 tenant the criminals created specifically for this campaign.

The fake technician then asks the employee to share their screen and grant remote control, standard Teams features that legitimate IT staff do use. From that foothold the attacker walks the victim through installing HopToDesk and AnyDesk, both well-known remote-support applications that carry valid code signatures. Most endpoint protection tools do not flag signed software from recognised vendors, so the installation completes without an alert.

The Payload: EtherRAT and the Blockchain Trick

Once remote access is established, the attacker downloads a Windows installer named v7.msi from a site registered at camorreado[.]click. The file bundles a legitimate copy of Node.js, the open-source JavaScript runtime, and uses it to quietly launch EtherRAT.

EtherRAT is a cross-platform remote access trojan written entirely in Node.js. It gives the operator full command execution, file exfiltration, and persistence across reboots. Its most notable design choice is how it locates its command-and-control server. Instead of embedding a hard-coded IP address that defenders can block, EtherRAT queries an Ethereum smart contract on the public blockchain to retrieve the current server address dynamically. The lookup happens on a network the criminals do not own and that no single organisation can take offline. That architecture makes traditional domain-takedown responses largely ineffective.

Unit 42 researchers found an open directory on the distribution server containing installer packages labelled v1 through v9, a progression that strongly suggests the campaign is still under active development. Earlier variants of EtherRAT appeared in state-sponsored intrusions tied to the React2Shell vulnerability before spreading to criminal groups outside that context.

Why Microsoft Teams Is the Ideal Cover

Email has trained many workers to be suspicious of unexpected attachments. Teams carries no such cultural baggage. Inside most organisations it is the trusted channel for IT support, HR updates, and leadership announcements. An unsolicited call arriving there triggers far less scepticism than the same call arriving by phone or email.

This campaign is not isolated. A separate March 2025 campaign targeting financial institutions and hospitals used the same basic playbook, substituting Quick Assist for HopToDesk and delivering a backdoor called A0Backdoor. In April 2025, Microsoft itself issued guidance noting that external Teams accounts were actively being weaponised to impersonate support personnel and pivot into corporate networks. Microsoft has since introduced an admin policy that holds suspected third-party bots in a meeting lobby pending organiser approval, and external callers now receive more prominent warning labels. Those are useful guardrails. They are not enough on their own.

Which Controls Failed, and What Defenders Should Learn

This attack did not exploit a software vulnerability in the traditional sense. There is no CVE to patch. Every tool in the chain, Teams calling, AnyDesk, HopToDesk, Node.js, was used as designed. The failure was human and procedural.

The first broken control was identity verification. The employee had no reliable way to confirm that the caller was a real member of the internal IT team. Most organisations publish a helpdesk number or ticketing portal, but very few train staff on what an external Teams call looks like in practice or what the 'External unfamiliar' badge actually means. If workers cannot read the warning, the warning does not protect them. Security-awareness training that specifically simulates vishing, voice-based phishing, directly addresses this gap; programmes that drill employees on recognising social engineering cues over voice and video channels are measurably more effective than those that focus on email alone, as the 2024 Verizon Data Breach Investigations Report confirms that the human element remains a factor in over 68 percent of breaches.

The second failed control was process, not technology. Legitimate IT departments operate on ticketed workflows. A real technician does not cold-call an employee after a survey PDF, ask for screen share, and then install remote-access software in real time without a ticket number, a manager approval, or an identity confirmation step. Organisations that have never codified and communicated that procedure leave employees with no baseline to compare an attacker's behaviour against. Training staff to understand that process is as important as any technical control.

The third failure was endpoint policy. Blocking the installation of unsigned or unapproved remote-access applications by default would have broken the attack chain before EtherRAT ever ran. Application allowlisting, combined with a policy requiring IT to pre-authorise any remote-support session through an internal channel, would have stopped v7.msi from executing entirely.

What Your Team Should Do Now

The practical takeaways are concrete. First, configure your Microsoft 365 tenant to restrict which external domains can initiate Teams calls or chats with your employees. Second, publish an explicit policy: the helpdesk will never cold-call staff, request screen share, or install software without a traceable ticket. Third, test that policy with simulated vishing exercises so staff recognise the pattern before a real attacker tries it. A free trial of Train2Secure's awareness platform lets security teams run those simulations without an upfront commitment.

Finally, audit which remote-access tools are permitted to run in your environment. HopToDesk and AnyDesk are legitimate products with legitimate uses. If your IT department does not use them, they should not be installable by a standard user account, full stop.

The v9 installer sitting on that open directory is a reminder: this campaign is being refined. The attackers are iterating faster than most organisations are reviewing their awareness programmes.

How a clear verification process could have stopped this attack

  • Run simulated vishing exercises so employees recognise unsolicited IT support calls before a real attacker makes them.
  • Establish and publish a written policy stating that internal IT will never cold-call staff to install remote-access software without a verifiable ticket number.
  • Configure Microsoft 365 to restrict external Teams calling to approved domains only, and audit which remote-access tools standard users can install.

Train2Secure's awareness platform includes social-engineering simulations covering phone and video-based vishing, the exact attack vector used in this campaign.

Start free, no card required

Frequently asked questions

How can employees tell a fake IT helpdesk call on Teams from a real one?

Microsoft Teams displays an 'External unfamiliar' label on calls originating outside your organisation's own tenant. Any caller from an @*.onmicrosoft.com domain that does not match your company's domain should be treated with immediate suspicion. Your real IT team will always be reachable via an internal ticket number or a known internal extension, and they will not cold-call you to install software.

Why is EtherRAT harder to take down than conventional malware?

EtherRAT stores its command-and-control server address inside an Ethereum smart contract on the public blockchain. Defenders cannot simply seize or sinkhole a domain to cut off the attacker, because the lookup record lives on a decentralised network no single party controls. The attacker can update the address in the smart contract at any time.

Are HopToDesk and AnyDesk themselves malicious tools?

No. Both are legitimate, commercially available remote-support applications. In this campaign attackers exploit the fact that security tools typically trust signed software from recognised vendors. The malicious act is persuading an employee to install them without authorisation and then using them to deliver the EtherRAT payload.

What Microsoft Teams admin settings can reduce this risk?

Administrators can restrict external access so only approved federated domains can initiate calls or chats with internal users. Microsoft has also introduced a policy that holds suspected third-party bots in a meeting lobby until an organiser admits them. Disabling external access entirely in environments where it is not operationally needed is the most effective single control.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress