Beware — the endless video calls clogging up your diary before you wind down for the holidays could be more dangerous than tedious. There are now fake installs and updates doing the rounds, and they’re poisoning SEO search results. That means you won’t know you’re running a dangerous app until it’s too late.
A new CyberProof report warns the Oyster backdoor is back. Starting mid-November, attackers started “delivering the Oyster backdoor by tricking users into downloading malicious office meeting software files like Microsoft Teams and Google Meet.”
Oyster was doing the rounds in the summer, “spreading through malvertising campaigns that impersonate popular IT tools, such as Putty and WinSCP.” But this mimicking office tools will catch out employees looking to update their software.
“These lures effectively reached enterprise users who rely on search engines to locate software updates,” Cyber Press warns. The (now revoked) certificates give “a false sense of legitimacy, making the malicious installers appear safe to download and execute.”
CyberProof says “since there has been some ties with human operated ransomware groups, we strongly believe and predict this threat cluster will continue to be active through 2026.” This is just the latest alert that should convince users to avoid installs and updates from anywhere other than official app stores or in-app update links.
There was a similar Oyster warning in September, with Blackpoint’s SOC “tracking a new campaign where threat actors are abusing SEO poisoning and malvertising to lure users into downloading a fake Microsoft Teams installer. Victims searching for Teams online are redirected to rogue ads and fraudulent download pages.”
As Blackpoint explains, Oyster — aka Broomstick “is a modular, multistage backdoor that provides persistent remote access, establishes Command and Control comms, collects host information, and enables the delivery of follow-on payloads.”
Hiding as work-based productivity apps and tricking employees into updates and installs, often urgently as a meeting is scheduled to begin, provides a dangerous entry point into both the individual’s PC and also the corporate network.
While this may seem an unlikely mistake to make, if your company users Teams and you find yourself joining a Google Meet call — or vice versa, then it’s no surprise you might install software quickly to facilitate a call. And SEO is where you naturally go.
