Behind a familiar download button there is a chain designed for inattention and haste.
Fake installers of Microsoft Teams have again become a convenient bait for cybercriminals. The attack scenario is as follows: the user is looking for a work program, opens the site from the top lines of the SERP and receives a file that looks convincing for Windows and security solutions, but launches multi-step infection.
BlueVoyant has described Lorem Ipsum campaign, in which attackers promote fake Microsoft Teams download pages through SEO poisoning in Bing and Google. On such sites there is mainly a noticeable download button leading to an infected MSI file. According to the company, the campaign affected at least six countries in North America, Europe and Asia from March to the end of April 2026. One of the cases was related to the healthcare organization in the United States.
Malicious installers are signed by the valid Microsoft Data Verified digital certificates, which were registered for a maximum of three days. This approach helps files look legitimate and at the same time shortens a window in which the certificate can be recalled. The domains for the campaign were registered via NameCheap with a privateity of the Help-for-Privacy and began to be used hours or days after the creation.
BlueVoyant links the band's development to an early sample found in February 2026. Then the malicious file disguised under the EP Detective utility and was poorly protected. Operators then quickly complicated the tools: they added decryption through the substrate cipher, XOR-encrypted code fragments, DLL Sideloading and a new exchange scheme with control servers.
Backdoor Lorem Ipsum collects information about the infected computer, encodes part of the data via Base64, encrypts information with a random key and sends to a rigidly given C2 server. The answer comes in the form of a file similar to a JFIF image. This cycle continues as long as the server remains available. Additional useful loads were not observed during the analysis, but the code allows you to perform new components if the operator considers the victim valuable.
For covert coordination, the group used profiles on letsdiskuss.com, including joeblack1673, stevenblake8483, dhuahsd12d2752 and stevensegal4596. According to BlueVoyant, different profiles could separate the waves of campaigns or groups of victims, and each profile pointed to its own set of C2 domains. In March, operators still used plainaw.com to issue compressed PowerShell commands, but in mid-April moved to individual C2 domains with addresses of the type /api/init/{UUID}, which improved tracking of infected systems.
The company considers the group not ordinary operators of mass malware, but also not an actor of the APT level. Development speed, domain costs, certificates and hosting, and competition with legitimate search results point to a well-funded criminal team. BlueVoyant admits that operators can work as primary access brokers, although the ultimate goals have not yet been confirmed.
Fake installers of Microsoft Teams have again become a convenient bait for cybercriminals. The attack scenario is as follows: the user is looking for a work program, opens the site from the top lines of the SERP and receives a file that looks convincing for Windows and security solutions, but launches multi-step infection.
BlueVoyant has described Lorem Ipsum campaign, in which attackers promote fake Microsoft Teams download pages through SEO poisoning in Bing and Google. On such sites there is mainly a noticeable download button leading to an infected MSI file. According to the company, the campaign affected at least six countries in North America, Europe and Asia from March to the end of April 2026. One of the cases was related to the healthcare organization in the United States.
Malicious installers are signed by the valid Microsoft Data Verified digital certificates, which were registered for a maximum of three days. This approach helps files look legitimate and at the same time shortens a window in which the certificate can be recalled. The domains for the campaign were registered via NameCheap with a privateity of the Help-for-Privacy and began to be used hours or days after the creation.
BlueVoyant links the band's development to an early sample found in February 2026. Then the malicious file disguised under the EP Detective utility and was poorly protected. Operators then quickly complicated the tools: they added decryption through the substrate cipher, XOR-encrypted code fragments, DLL Sideloading and a new exchange scheme with control servers.
Backdoor Lorem Ipsum collects information about the infected computer, encodes part of the data via Base64, encrypts information with a random key and sends to a rigidly given C2 server. The answer comes in the form of a file similar to a JFIF image. This cycle continues as long as the server remains available. Additional useful loads were not observed during the analysis, but the code allows you to perform new components if the operator considers the victim valuable.
For covert coordination, the group used profiles on letsdiskuss.com, including joeblack1673, stevenblake8483, dhuahsd12d2752 and stevensegal4596. According to BlueVoyant, different profiles could separate the waves of campaigns or groups of victims, and each profile pointed to its own set of C2 domains. In March, operators still used plainaw.com to issue compressed PowerShell commands, but in mid-April moved to individual C2 domains with addresses of the type /api/init/{UUID}, which improved tracking of infected systems.
The company considers the group not ordinary operators of mass malware, but also not an actor of the APT level. Development speed, domain costs, certificates and hosting, and competition with legitimate search results point to a well-funded criminal team. BlueVoyant admits that operators can work as primary access brokers, although the ultimate goals have not yet been confirmed.
