New Vishing Attack Leverages Microsoft Teams Call and QuickAssist to Deploy .NET Malware

A sophisticated new vishing campaign has emerged, blending traditional voice phishing with modern collaboration tools to deploy stealthy malware.

Attackers are leveraging Microsoft Teams calls and the remote support tool QuickAssist to bypass security perimeters.

By impersonating senior IT staff, they create a sense of urgency that disarms victims, leading to a multi-stage infection process designed to evade standard detection mechanisms.

The attack begins with a Teams call from an external account using a spoofed display name to appear as a legitimate internal administrator.

The threat actor persuades the target to launch Microsoft QuickAssist, a native Windows tool, effectively bypassing many standard security controls that flag third-party remote access software. Once access is established, the attacker pivots to deploying a malicious payload.

SpiderLabs security analysts identified this campaign, noting the distinct shift towards using trusted, built-in system utilities to facilitate compromise.

#Vishing Campaign Alert: Microsoft Teams Call -> QuickAssist Abuse -> Multi-Stage .NET Malware
We’ve analyzed an attack chain starting with social engineering and ending with fileless malware execution.

Attack Flow:

* Victim receives Teams call from attacker impersonating… pic.twitter.com/mKxLf79sjP

— SpiderLabs (@SpiderLabs) December 9, 2025

Following the initial access, the victim is redirected to a malicious domain, ciscocyber[.]com, after approximately ten minutes.

This delay is likely a tactic to reduce suspicion before the final stage of the attack is initiated, where a file disguised as a legitimate updater is introduced to the system.

The impact of this campaign is significant because it relies heavily on social engineering rather than software vulnerabilities.

The use of a .NET malware wrapper allows the attackers to execute code directly in memory, minimizing the forensic footprint on the endpoint.

This fileless approach complicates traditional incident response efforts, as there are fewer artifacts left behind on the disk for investigators to analyze.

Technical Analysis of the Infection Mechanism

The core of this attack relies on a complex infection chain involving a .NET Core 8.0 executable. The malicious file, named updater.exe, serves as a wrapper for an embedded library, loader.dll.

Upon execution, this loader initiates a connection to a command-and-control server at jysync[.]info to retrieve specific encryption keys.

These keys are essential for the subsequent stage, where the malware downloads an encrypted payload.

The decryption process utilizes a combination of AES-CBC and XOR operations to unlock the malicious assembly.

Crucially, the decrypted code is never written to the disk; instead, it is loaded directly into the system’s memory via .NET reflection, ensuring a highly persistent and stealthy compromise.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Vishing Attack Leverages Microsoft Teams Call and QuickAssist to Deploy .NET Malware appeared first on Cyber Security News.