A new cyberattack method is making waves, showing how hackers use simple tricks to break into computer systems. The attacker initiated the attack with a fake Microsoft Teams message and a phone call, then installed malware on the victim’s system. The attackers misused a trusted remote access tool, TeamViewer, to stay hidden and maintain control over the infected system.
A Simple Call That Opened the Door to a Cyberattack
A security team recently investigated an incident where an attacker sent a fake message on Microsoft Teams, followed by a phone call. The caller convinced the victim to run a PowerShell command—a small piece of code that helps control a computer. This was the first step in the attack.
After the command was executed, a hidden payload was downloaded. This allowed the attackers to take over the victim’s computer. To maintain access, they used Quick Assist, a built-in Windows tool for remote support. Since Quick Assist is a trusted program, the attack did not raise any alarms at first.
Using Trusted Tools to Stay Undetected
Once inside the system, the attacker placed a signed version of TeamViewer.exe in a hidden folder. TeamViewer is a widely used remote desktop tool that allows people to access computers from different locations. However, the attacker used a sneaky trick known as DLL sideloading.
DLL sideloading happens when a legitimate program is forced to load a malicious file instead of its usual safe files. In this case, the attackers placed a harmful DLL file (TV.dll) alongside TeamViewer.exe. This made the malware blend in with normal activities, making it much harder to detect.
The attacker didn’t stop there. To make sure the malware remained active, they created a shortcut file in the system’s startup folder. This meant that even if the computer was restarted, the malware would run automatically.
To move files quietly and keep access, they used a Windows feature called Background Intelligent Transfer Service (BITS). This tool normally downloads updates and syncs files. But attackers can use it as a weapon. With this method, they controlled the infected system for up to 90 days without drawing attention.
In the second stage of the attack, the hacker used a JavaScript backdoor called “index.js.” They ran it with Node.js, a tool that lets JavaScript work outside a web browser. Once active, the backdoor created a hidden connection. This gave the attacker full control over the system.
Security experts say this attack looks like those from the hacker group Storm-1811. The attackers used Quick Assist for remote access. They also used DLL sideloading and Microsoft Teams to break in. Cybersecurity firms like Microsoft and Sophos have seen similar attacks before.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
Social Engineering: The Real Threat
The core of this attack was social engineering, which means tricking people into taking actions that compromise their security. The hackers relied on human trust rather than complex coding tricks.
The initial vishing call (voice phishing) played a crucial role. The attacker pretended to be from a trusted source and convinced the victim to run a command that led to full system compromise.
Cybersecurity experts have observed a massive 1633% increase in vishing attacks in early 2025. This attack confirms that such threats are not just numbers but real dangers affecting individuals and organizations alike.
One security professional explained that the attacker’s strategy was effective because it used a signed and trusted application to slip past defenses. By sideloading a malicious DLL into a normal-looking process, they were able to turn a standard remote support tool into an undetectable backdoor.
This attack is a clear example of how hackers don’t always need complex viruses or software vulnerabilities to break into systems. When people trust unfamiliar messages and calls, attackers can use everyday tools to launch devastating cyberattacks.
Cyberattack Catastrophe: How Hackers Can Endanger Human Lives ?