Cybersecurity firm ReliaQuest has uncovered a sophisticated attack campaign that uses Microsoft Teams to deploy a previously unknown backdoor malware. The attacks, which began in March 2025, specifically target female executives in the finance and professional services sectors.

The attack chain begins with carefully timed phishing messages sent through Microsoft Teams from accounts posing as technical support staff. Once victims are convinced to launch Windows' built-in "Quick Assist" tool, attackers gain access to their systems and implement a novel persistence technique called TypeLib hijacking.

"This is the first time we've seen TypeLib hijacking used in the wild," said Hayden Evans, the primary author of the ReliaQuest report. "Attackers are modifying Windows Registry entries to redirect legitimate COM objects to malicious scripts hosted on Google Drive."

The technique ensures that the malware, a sophisticated PowerShell backdoor, is automatically downloaded and executed whenever the system restarts. According to ReliaQuest, the backdoor contains extensive "junk code" designed to evade detection, with several space-themed keywords like "Galaxy," "Cosmos," and "Orion."

Analysis of the attack infrastructure suggests the malware has been in development since January 2025, with early versions deployed through malicious Bing advertisements. The report notes that Telegram bot logs associated with the malware contained Russian text, indicating the developer is likely from a Russian-speaking country.

ReliaQuest believes the attackers may be connected to Storm-1811, a threat group known for deploying Black Basta ransomware. However, the report suggests several possibilities: either Black Basta has adopted new techniques, the group has splintered, or an entirely different group has begun using similar initial access tactics.

To protect against these attacks, ReliaQuest recommends disabling external communication in Microsoft Teams, blocking specific domains at the network edge, disabling JScript via Group Policy, and implementing Windows Defender Application Control to restrict PowerShell functionality.

The report highlights a concerning trend in cybersecurity: increasingly targeted attacks that exploit legitimate collaboration tools to bypass traditional security measures. With Microsoft Teams now a standard communication platform in many organizations, security experts warn that similar tactics will likely become more common.