ReliaQuest uncovered a sophisticated malware campaign that begins with Microsoft Teams phishing and escalates into a rare persistence technique involving Type Library (TypeLib) hijacking — a method never previously seen in the wild.
The campaign also delivered a newly discovered PowerShell backdoor, targeting finance and professional services sectors with high precision.
The investigation was initiated during a response to multiple customer incidents in March 2025. Analysts identified initial access tactics consistent with the “Storm-1811” threat group, known for delivering Black Basta ransomware. However, the use of a novel persistence method and malware diverged sharply from past campaigns, suggesting possible group fragmentation or imitation by another actor.
Using Microsoft Teams as launchpad for attacks
ReliaQuest's analysis revealed that the attack started with phishing messages sent via Microsoft Teams using a fraudulent Microsoft 365 tenant impersonating IT support. The messages were strategically timed to align with employees' afternoon hours and targeted executive-level staff with female-sounding names — tactics designed to exploit timing, authority bias, and possible social engineering research into phishing susceptibility.
Once the attacker gained access, they used Windows' Quick Assist tool for remote control. From there, they executed a registry command to hijack a COM Type Library by modifying the CLSID {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}. This key is associated with Internet Explorer components, meaning even common system operations like launching Explorer.exe could trigger the attacker's payload. The registry entry directed Windows to fetch and execute a script from a malicious Google Drive link using the script protocol handler.
This led to the execution of a PowerShell backdoor cleverly wrapped in JScript and hidden inside a text file (“5.txt”) containing obfuscating “junk code” with space-themed keywords. The JScript first wrote the embedded PowerShell to disk and then executed it silently. The malware established contact with a Telegram bot to confirm successful deployment, then began beaconing to a command-and-control server dynamically generated from the victim's hard drive serial number.
The PowerShell component created a unique Mutex to prevent multiple executions and initiated an infinite loop to fetch and execute commands from the C2 server (181.174.164[.]180). This stealthy communication method allowed the attacker to maintain undetected access for extended periods. Notably, early variants of the malware were found on VirusTotal dating back to January 2025, suggesting active development and testing since early in the year. Some of these versions were associated with malicious Bing ads campaigns distributing fake Microsoft Teams installers.
ReliaQuest
The malware closely resembles a strain dubbed “Boxter” that was previously used in Bing ad attacks. Code overlaps and infrastructure ties suggest the same threat actor has evolved Boxter into this new variant, though it remains unclear whether Black Basta actors are behind the campaign or if another group has adopted their techniques. ReliaQuest noted the malware developer likely operates in a Russian-speaking country, based on Telegram bot logs containing Cyrillic syntax.
To defend against these attacks, it is recommended to restrict Microsoft Teams external communications, allowing only approved domains. Also, disable or restrict JavaScript execution via Group Policy or AppLocker, enforce PowerShell Constrained Language Mode using Windows Defender Application Control, and disable Windows Script Host through Group Policy.
Leave a Reply