Fake IT Helpdesk Calls on Microsoft Teams Are Planting EtherRAT on Company PCs

Attackers pose as internal support staff over Teams voice calls, then walk employees through installing remote-access tools that drop a Node.js trojan.

ThreatVectr Newsdesk· 4 min read
A photoreal editorial scene of a modern open-plan office desk at dusk, a laptop showing a generic video-call interface with a blurred external caller notificati
Share

Key points

  • Palo Alto Networks' Unit 42 has documented an active campaign that uses phishing emails followed by Microsoft Teams voice calls from a fake 'System Administrator' to install EtherRAT malware.
  • The attacker calls from an external Microsoft 365 tenant, helpdesk@Progressive936.onmicrosoft[.]com, and Teams labels the session 'External unfamiliar'.
  • Victims are talked into installing HopToDesk and AnyDesk, after which a malicious MSI installer (v7.msi) is fetched from camorreado[.]click.
  • EtherRAT is a cross-platform remote access trojan written in Node.js that hides its command server address inside Ethereum smart contracts.
  • Unit 42 found an open directory holding installer versions v1 through v9, suggesting the campaign is still being built out.

A new attack chain reported by BleepingComputer, and detailed by Palo Alto Networks' Unit 42, shows criminals working the phones as well as the inbox. They call employees on Microsoft Teams, the workplace chat and calling app most large companies use, and pretend to be the IT helpdesk.

The goal is simple. Get the employee to hand over remote control of their computer. Then install malware.

How does the scam actually unfold?

It starts with a phishing email, meaning a fake message designed to trick the reader. The lure is an 'Employee Survey' with a PDF attached.

Shortly after the victim opens the document, their Teams rings. The caller says they are a 'System Administrator' looking into a problem.

Unit 42 says the call comes from outside the company's own Microsoft 365 account, and Teams flags this with an 'External unfamiliar' label. Audit logs traced one attacker account back to helpdesk@Progressive936.onmicrosoft[.]com.

The fake technician then asks the employee to share their screen and grant remote control, both of which are normal features built into Teams. From there, the attacker walks the victim through installing HopToDesk and AnyDesk, two legitimate remote-support tools that IT departments use every day. Because the software is real and signed, most antivirus products let it through.

With remote access secured, the attacker downloads and runs a Windows installer file called v7.msi from a site named camorreado[.]click. That installer is the trap. It quietly pulls down a legitimate copy of Node.js, a programming environment, and uses it to launch the real payload: EtherRAT.

What can EtherRAT do once it is inside?

EtherRAT is a remote access trojan, meaning malware that hands the attacker full control of the machine. It can run commands, move and steal files, and keep itself running after reboots.

It has one unusual trick. Instead of hard-coding the address of its command server, which defenders can then block, EtherRAT looks up that address inside an Ethereum smart contract on the blockchain. Taking down the server becomes much harder because the lookup lives on a public network the attackers do not need to own.

Unit 42 says the malware was previously seen in state-sponsored attacks exploiting the React2Shell flaw, and has since spread to other criminal groups. Researchers found installer versions v1 through v9 sitting in an open folder on the distribution server, which means the campaign is still being actively developed.

Why does this keep working on Teams?

Because Teams is trusted inside the office in a way email no longer is. If your 'helpdesk' calls you on the same app your real helpdesk uses, most people pick up.

A March campaign against banks and hospitals used the same playbook with Quick Assist and dropped a backdoor called A0Backdoor. In April, Microsoft itself warned that external Teams accounts were being used to impersonate support staff and pivot across corporate networks.

Microsoft has added guardrails in response. External callers and chats now carry visible warnings. Last week the company also introduced a Teams admin policy that automatically parks suspected third-party bots in the meeting lobby until an organiser lets them in.

For staff, the practical rule is short. Your real IT team will not cold-call you from an outside account and ask to take over your screen. If in doubt, hang up and ring the helpdesk on a number you already know.

© 2026 Threat Vectr