Malware News Cato CTRL™ Threat Research: Vishing and Microsoft Teams Used to Deliver PhantomBackdoor

[Khushal]

Content source

https://www.catonetworks.com/blog/cato-ctrl-vishing-and-microsoft-teams-used-deliver-phantombackdoor/

Cato CTRL tracked vishing via Microsoft Teams delivering PhantomBackdoor to an Italy-based company, chaining PowerShell payloads into a WebSocket C2, with defenses urging stricter helpdesk verification, Teams controls, and PowerShell hardening.
https://www.catonetworks.com/blog/cato-ctrl-vishing-and-microsoft-teams-used-deliver-phantombackdoor/

 

[Bot]

This is a credible example of how social engineering is being combined with legitimate business tools to bypass user suspicion.

What stands out

• The initial access method was not an exploit but vishing through Microsoft Teams, which fits a broader trend of attackers abusing trusted communication platforms.
• The reported use of PowerShell in multiple stages is also common because it is built into Windows and can blend in with normal admin activity.
• A WebSocket-based C2 channel can make traffic look less unusual than older, noisier command-and-control methods.

Why this matters

Many organizations focus heavily on email phishing, but Teams, Slack, Zoom, and remote support workflows can be just as important from a defense standpoint.

If the report is accurate, the key lesson is that the attacker likely relied more on trust manipulation than on technical sophistication alone.

Practical defensive takeaways

• Require strict identity verification for helpdesk or IT support interactions, especially when password resets, MFA changes, or remote access are involved.
• Restrict who can contact staff through Teams, particularly external tenants if the business does not need broad federation.
• Review PowerShell usage and enable stronger logging where feasible, including Script Block Logging and transcription in managed environments.
• Use application control or attack surface reduction rules if the environment supports them.
• Train users that a message or call appearing in a trusted platform does not automatically make it legitimate.

One caution

I cannot independently verify every technical detail in the vendor report from the quoted excerpt alone, so I would treat it as a useful incident write-up rather than final proof of a wider campaign by itself.

Bottom line

The bigger takeaway is not just “Teams is risky,” but that attackers increasingly abuse whatever platform employees already trust. Controls around identity verification, remote support, and script execution are likely more valuable than focusing on one app alone.

Sources

• Cato CTRL™ Threat Research: Vishing and Microsoft Teams Used to Deliver PhantomBackdoor

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Facts
A threat actor utilized vishing and Microsoft Teams screen-sharing to trick users at an Italy-based company into executing a malicious PowerShell script, which retrieved a WebSocket-based backdoor known as PhantomBackdoor.

Assessment
This attack bypasses traditional perimeter defenses by leveraging human trust and social engineering for initial access, utilizing native OS tools to evade file-based detection mechanisms.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1566.004
(Phishing: Voice)

T1059.001
(Command and Scripting Interpreter: PowerShell)

T1071.001
(Web Protocols)

T1082
(System Information Discovery).

CVE Profile
N/A [No active CVE utilized; relies on Social Engineering].

Telemetry

Domains
maxsolutions243[.]com
halungroup[.]com

IPs
104[.]238[.]133[.]25
162[.]252[.]172[.]74

SHA256 Hashes 1497ad4cd9b3f009904896464b090ad2ff4c932f2bb57752bb19b53b2ec65ea0

b0c07b265c9d9046038ffa48d5b8e17b8ba0791503beba85196cdbe0ac2fcb27

Execution Behavior
De-obfuscated PowerShell collects the Computer name, Domain information, Username, Process identification (PID), and System universally unique identifier (UUID).

C2 Communication
System data is XOR-encrypted using the hardcoded key YUkdzDWUQuuwkbhzJGE0hwHxiha9VCnC, Base64-encoded, and sent to the C2.

The final stage establishes a WebSocket session to ws://maxsolutions243[.]com:80.

Constraint
The structure suggests a multi-stage fileless execution chain relying heavily on user interaction to initiate the first stage, reducing on-disk artifacts.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Mandate strict identity verification procedures for all IT helpdesk interactions, specifically those involving password resets or remote support.

DETECT (DE) – Monitoring & Analysis

Command
Enable and monitor PowerShell Script Block Logging and transcription to identify obfuscated commands.

Command
Alert on the high-risk behavioral sequence of a Microsoft Teams session immediately followed by anomalous PowerShell execution and outbound downloads.

RESPOND (RS) – Mitigation & Containment

Command
Isolate endpoints exhibiting outbound WebSocket communications to the known malicious domain maxsolutions243[.]com.

RECOVER (RC) – Restoration & Trust

Command
Validate the eradication of in-memory payloads via memory forensics before returning isolated endpoints to production.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Restrict external Microsoft Teams access strictly to approved tenants to minimize exposure to unverified external actors.

Command
Limit screen sharing and remote control capabilities for external participants in communication platforms.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
If you were guided by an unverified support caller to run commands via screen share, disconnect your device from the internet immediately to sever the WebSocket connection.

Priority 2: Identity

Command
Do not log into banking/email or other sensitive accounts until the device is verified clean.

Command
Reset critical passwords using a known clean device.

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions for unknown entries, though be aware that this specific threat operates heavily in-memory.

Hardening & References

Baseline
CIS Benchmarks for Microsoft Windows (PowerShell Hardening).

Framework
NIST CSF 2.0 (PR.AT-1: Identity and Access Management; PR.AT-2: Awareness and Training).

Source

Cato Networks

 

[Sampei.Nihira]

It’s interesting to note that uBoL can block third-party WebSocket.
But some time ago, I noticed that the search function on some websites in my country no longer works.