Signed malware posing as Teams and Zoom apps drops RMM backdoors

[harlan4096]

A wave of phishing campaigns that used signed malware posing as popular workplace apps like Microsoft Teams, Zoom, and Adobe Reader to deploy remote monitoring and management (RMM) backdoors.

The activity, attributed to an as-yet unidentified threat actor, highlights how trusted branding and valid-looking digital signatures can be abused to gain stealthy, long-term access in enterprise networks.

According to Microsoft, the campaigns relied on convincing phishing emails that spoofed common workplace themes such as meeting invitations, invoices, project bids, and internal notifications.

In February 2026, Microsoft Defender Experts identified multiple phishing campaigns attributed to an unknown threat actor.

Messages either attached counterfeit PDFs or embedded links that redirected users to attacker-controlled download pages closely mimicking legitimate Adobe, Teams, or Zoom portals.

Victims were encouraged to “update” or “open” documents via prominent buttons and prompts, which instead delivered Windows executables masquerading as trusted apps, including msteams.exe, trustconnectagent.exe, adobereader.exe, zoomworkspace.clientsetup.exe, and invite.exe.

Continue Reading...