Vishing Scam Uses Teams & QuickAssist to Deploy .NET Malware

Home/Cybersecurity, Internet Security, Mobile Security, Secuirty Update, Security Advisory, Security Update/Vishing Scam Uses Teams & QuickAssist to Deploy .NET Malware

Vishing Scam Uses Teams & QuickAssist to Deploy .NET Malware

A new vishing attack uses social engineering and legitimate Microsoft tools to run commands and deploy multi-stage .NET malware.

Researchers found that the attack starts when threat actors impersonate IT staff on Microsoft Teams. Victims receive calls that look like they are from real internal IT support.

The attacker then convinces the victim to open Windows Quick Assist, a built-in remote support tool. Once Quick Assist is opened, the attacker gains remote access while pretending to help.

Within about 10 minutes, the victim is redirected to a malicious site at ciscocyber[.]com/verify.php. This is the point where the attack shifts from social engineering to technical exploitation.

Malware Deployment and Execution

After the victim is redirected, a file named “updater.exe” is delivered. It pretends to be a normal Windows update tool, but it is actually malicious.This program is built using .NET Core 8.0 and contains a hidden loader that runs directly in memory. Because it does not rely on storing files on the disk, it becomes harder for security tools to notice.The loader (loader.dll) handles the rest of the attack. It connects to its control server at jysync[.]info to fetch the keys needed to unlock the next stage. Separating the keys from the malware makes investigation more complicated.It then downloads an encrypted payload, unlocks it using AES-CBC plus an additional XOR layer, and prepares it for execution. This layered encryption helps the malware avoid analysis.In the final step, the malware uses .NET reflection to load the decoded code straight into memory. Nothing is written to the disk, making the attack “fileless” and allowing it to slip past many traditional defenses. The malware then runs with the same rights as the user who allowed the Quick Assist session.

Why This Attack is Dangerous

This campaign combines impersonation, abuse of trusted Windows tools, and sophisticated in-memory execution. By using familiar apps like Microsoft Teams and Quick Assist, attackers make their actions seem legitimate, reducing suspicion.

The use of a .NET wrapper demonstrates the attackers’ technical expertise and understanding of modern software delivery.

How Organizations Can Protect Themselves

  • Monitor communication channels to detect fake IT messages or calls.
  • Enforce strict policies for remote assistance and access.
  • Educate employees to verify the identity of anyone requesting system access.
  • Deploy security tools capable of tracking unusual .NET behavior and memory-based code execution to detect fileless attacks.

Post Views: 136
By | 2025-12-10T23:42:50+05:30 December 10th, 2025|Cybersecurity, Internet Security, Mobile Security, Secuirty Update, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!