// 4 CVE · 1 EXPLOIT · 1 ADVISORY IN THE LAST 24H
Palo Alto Networks Unit 42 uncovered a campaign that abuses Microsoft Teams voice calls to impersonate corporate IT support and trick employees into installing EtherRAT, a remote access trojan that uses Ethereum smart contracts for command-and-control resilience.

Threat actors are abusing Microsoft Teams voice calls, impersonating corporate IT support to lure employees into installing EtherRAT, a remote access trojan that leverages Ethereum smart contracts for command and control. The campaign, documented by Palo Alto Networks Unit 42 in a July 6, 2026 report, demonstrates how enterprise communication platforms have become the new hunting ground for advanced social engineering: no more suspicious emails, but seemingly legitimate voice interactions that exploit users' familiarity with everyday tools.

Key Takeaways
  • The campaign begins with a phishing email containing an "Employee Survey" PDF, followed by a Teams voice call from an external account labeled "External unfamiliar"
  • The identified attacker account is helpdesk@Progressive936.onmicrosoft[.]com, which guides the victim to install legitimate remote access tools
  • The malicious MSI (v7.msi) from camorreado[.]click acts as a Node.js loader that downloads a legitimate runtime, decrypts the payload, and executes EtherRAT
  • EtherRAT retrieves the active C2 server via an Ethereum smart contract, making the command infrastructure more resilient to conventional takedowns
  • Nine installer versions (v1-v9) found on a distribution server indicate active toolkit development

The Attack Chain: From PDF to Remote Control via Blockchain

The attack unfolds in a multi-stage sequence designed to overcome natural wariness toward traditional emails. The initial phase uses a phishing message with a PDF attachment titled "Employee Survey," a theme that plays on the user's sense of internal participation. The document is not the final payload but a trigger to establish credibility.

In the next phase, the victim receives a voice call on Microsoft Teams. The caller's account appears as external — with the "External unfamiliar" label visible during the session — yet the address helpdesk@Progressive936.onmicrosoft[.]com suggests a plausible cover. Audit logs, according to Unit 42, confirm the attacker initiated the external chat using this account.

During the call, the impersonated operator guides the user to install legitimate remote access tools: HopToDesk and AnyDesk. This choice is strategic: using recognized software reduces the risk of detection by endpoint security solutions, which often whitelist legitimate remote desktop applications, and lowers the victim's psychological defenses, as they see known software being installed.

The critical step comes with the download and execution of an MSI installer, identified as v7.msi, hosted on the domain camorreado[.]click. The MSI does not contain the final malware directly but serves as a Node.js loader: it downloads a legitimate Node.js runtime, decrypts an embedded payload, and launches EtherRAT. This multi-layered architecture complicates forensic analysis and delays detection.

EtherRAT: The RAT That Talks to the Blockchain

EtherRAT is a cross-platform remote access trojan written in Node.js, a choice that ensures portability across operating systems without recompilation. Documented capabilities include remote control of the compromised system, arbitrary command execution, data theft, and persistence mechanisms.

The most technically significant feature is the command-and-control channel. EtherRAT does not rely on traditional servers with static IP addresses or easily seized domain names. Instead, it retrieves the active C2 server by querying a smart contract on the Ethereum blockchain.

This architectural choice has concrete operational consequences: the smart contract remains active as long as someone pays gas to keep it on the network, and its content is replicated across thousands of nodes. Operators can update the C2 server reference by interacting with the contract, without redistributing the malware.

On a distribution server discovered during the investigation, Unit 42 found an open directory containing malware installers in nine successive versions, from v1 to v9. This evidence indicates active, iterative development of the toolkit, with likely bug fixes, detection evasions, and installer optimizations over time.

Why the Teams Vector Changes the Game

Abuse of Microsoft Teams represents a qualitative evolution over traditional phishing. Enterprise communication platforms enjoy an implicit level of trust that external emails have not possessed for years: the average user associates Teams with internal conversations, document collaboration, and interactions with colleagues. The presence of an account that appears to belong to the organization — even if marked as external — exploits this cognitive asymmetry.

The use of voice calls adds another layer of psychological pressure. The synchronicity of a real-time conversation reduces time for verification, while the attacker's step-by-step guidance creates an authority dynamic that discourages opposition. Screen sharing, often requested during these sessions, directly exposes the victim's interface to the operator's visual control.

Microsoft introduced external caller alerts and restrictive policies for third-party bots in 2026, acknowledging the growth of this vector. The EtherRAT campaign demonstrates, however, that these measures do not neutralize the threat when the attack plays on social engineering rather than technical vulnerabilities in the platform.

What to Do Now

Organizations using Microsoft Teams can adopt specific measures against this campaign. Verify that accounts labeled "External unfamiliar" cannot initiate voice calls to users without prior authorization. Block the domain camorreado[.]click and the account helpdesk@Progressive936.onmicrosoft[.]com at the firewall and proxy level, as flagged as IoCs by Unit 42 research.

Configure endpoint policies to require administrative approval for installation of remote access software such as HopToDesk and AnyDesk, even when the applications are digitally signed. Implement network controls that detect downloads of Node.js runtimes in contexts not expected by corporate policies, given that EtherRAT's MSI loader uses this technique.

Train staff to recognize that Teams calls from external accounts, even with suggestive IT support naming, require independent verification through a known channel — internal phone or ticket system — before executing instructions. Update threat intelligence models to track suspicious Ethereum smart contracts used as C2 resilience mechanisms, integrating this capability into blockchain analysis platforms.

"Threat actors are abusing Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing the EtherRAT malware, giving attackers initial access to corporate networks." — Palo Alto Networks Unit 42, via BleepingComputer

Limitations and Context

The dossier does not specify the exact number of organizations or victims compromised, nor the preferred industry sector or geography of the campaigns. No attribution to a specific threat actor group emerges: the dossier does not document infrastructure overlaps, language indicators, or behavioral patterns linking EtherRAT to publicly attributed campaigns.

The exact payload decryption mechanism in the MSI loader is not detailed, making it impossible to assess cryptographic robustness. EtherRAT's full capabilities beyond remote control, command execution, and data theft are not exhaustively documented.

FAQ

What is the Ethereum smart contract used by EtherRAT and why does it complicate defense?

A smart contract is an immutable program on the Ethereum blockchain that automatically executes instructions when it receives transactions. EtherRAT queries it to obtain the active C2 server address. Because the contract is distributed on a decentralized network, there is no single entity to contact to disable it and no physical server to seize.

Why does the attacker use legitimate tools like AnyDesk and HopToDesk?

The dossier documents that the attacker guides the victim to install these tools as an intermediate step. Using recognized applications reduces the likelihood of blocking by security solutions and exploits the user's familiarity with legitimate remote support tools, lowering perceptual defenses.

Is Microsoft Teams vulnerable to this technique?

No. The article reports that the abuse is based on social engineering, not technical vulnerabilities in the platform. The attacker account is external and marked as such; the attack exploits users' tendency to trust interactions on enterprise platforms, not a flaw in Teams software.

The EtherRAT campaign marks a point of no return for enterprise social engineering: technical defenses remain necessary, but the decisive perimeter has shifted to users' ability to verify the identity of those contacting them through channels they instinctively perceive as safe. Blockchain-based C2 adds a complexity that organizations will need to integrate into threat intelligence models, getting used to tracking threats that leave no footprints on traditional servers.

Information is based on the cited source and current as of publication.

Sources


Sources and references
  1. bleepingcomputer.com
  2. thehackernews.com
  3. securelist.com
  4. deals.bleepingcomputer.com