{"id":24442,"date":"2026-05-19T11:34:09","date_gmt":"2026-05-19T04:34:09","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=24442"},"modified":"2026-06-23T14:14:28","modified_gmt":"2026-06-23T07:14:28","slug":"when-microsoft-teams-is-no-longer-teams-the-truth-behind-the-trojanized-rustdesk-version","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/when-microsoft-teams-is-no-longer-teams-the-truth-behind-the-trojanized-rustdesk-version\/","title":{"rendered":"When Microsoft Teams is no longer Teams: The truth behind the trojanized RustDesk version"},"content":{"rendered":"<h2 id=\"overview\"><span style=\"font-family: arial, helvetica, sans-serif\">Overview<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">A sophisticated attack campaign was recently discovered, where the attacker distributes a fake Microsoft Teams installer (MSTeamsSetup.exe) to secretly introduce a trojanized version of RustDesk into the system.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">What makes this campaign particularly dangerous is that the malicious file is signed with a valid digital signature under the name &#8220;Zlatin Stamatov.&#8221; This &#8220;disguise&#8221; allows the malware to easily bypass common defense mechanisms like AV or EDR, which typically trust digitally signed software.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/malware-1778646047.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-36183\" src=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/malware-1778646047.png\" alt=\"Malware 1778646047\" width=\"1235\" height=\"867\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Hidden behind the scenes is a command and control (C2) infrastructure with many signs matching previous activities of the &#8220;calipology&#8221; group, known for the Striker C2 framework. Instead of developing malware from scratch, the attacker chooses a &#8220;smarter&#8221; path: exploiting a legitimate tool like RustDesk, but silently reconfiguring it to automatically connect to their server as soon as it&#8217;s installed.<\/span><\/p>\n<h2 id=\"event-timeline\"><span style=\"font-family: arial, helvetica, sans-serif\">Event timeline<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The campaign demonstrates long-term infrastructure preparation before actual deployment:<\/span><\/p>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Event timeline<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Event<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Details<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><strong>07\/05\/2025<\/strong><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Domain Registration<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">systemautoupdater[.]com was registered through GoDaddy.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><strong>01\/06\/2025<\/strong><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">DNS configuration<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Update the DNS records, setting up the infrastructure to remain hidden for nearly a year.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><strong>14\/03\/2026<\/strong><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Certificate Issuance<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Digital signature issued to &#8220;Zlatin Stamatov&#8221; (Certum Code Signing).<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><strong>09\/04\/2026<\/strong><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Detection<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">The first malware samples appeared on MalwareBazaar and CAPE Sandbox.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"main-impact\"><span style=\"font-family: arial, helvetica, sans-serif\">Main impact<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The danger level of this attack chain doesn&#8217;t lie in using overly complex techniques, but in its ability to &#8220;bypass&#8221; the current defense systems of businesses.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Bypassing EDR due to being &#8220;pre-approved&#8221; (whitelisted): The attacker exploits remote desktop software like RustDesk, AnyDesk, or TeamViewer. These are legitimate tools often pre-approved by companies. Therefore, when malware is hidden within these programs, security systems (EDR, Antivirus) overlook them, failing to conduct thorough checks, leaving the SOC team almost blind to any anomalies.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Staying hidden on the victim&#8217;s machine for a long time: Unlike typical viruses that easily cause errors or slow down the computer, the modified version of RustDesk continues to function normally. Users might even believe they installed it at the IT department&#8217;s request. This allows the attacker to remain undetected in the system for weeks or months without raising suspicion.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Opening the way for data theft and ransomware: Once they control the machine, hackers can:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">View the screen, copy clipboard data<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Retrieve passwords from the password manager<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Use tools like Rclone to transfer data externally.<\/span><\/li>\n<\/ul>\n<h2 id=\"details-of-the-infection-process\"><span style=\"font-family: arial, helvetica, sans-serif\">Details of the infection process<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/Chi-tiet-quy-trinh-lay-nhiem-1778646067.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-36184\" src=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/Chi-tiet-quy-trinh-lay-nhiem-1778646067.png\" alt=\"Chi Tie\u0302\u0301t Quy Tri\u0300nh La\u0302y Nhie\u0302\u0303m 1778646067\" width=\"1536\" height=\"1024\" \/><\/a><\/span><\/p>\n<h3 id=\"step-1-lure-seo-poisoning-malvertising\"><span style=\"font-family: arial, helvetica, sans-serif\">Step 1: Lure (SEO Poisoning \/ Malvertising)<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">In this campaign, the attacker uses SEO poisoning techniques or fake advertising (malvertising) on search engines. When users search for keywords like &#8220;Download Microsoft Teams&#8221; or &#8220;MS Teams setup,&#8221; they are directed to a fake website that resembles Microsoft&#8217;s homepage but is actually hosted on the attacker&#8217;s infrastructure (e.g., subdomains of systemautoupdater[.]com).<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/Buoc-1-Dan-du-SEO-Poisoning-Malvertising-1778646079.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-36185\" src=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/Buoc-1-Dan-du-SEO-Poisoning-Malvertising-1778646079.png\" alt=\"Bu\u031bo\u031b\u0301c 1 Da\u0302\u0303n Du\u0323 (seo Poisoning : Malvertising) 1778646079\" width=\"1699\" height=\"650\" \/><\/a><\/span><\/p>\n<h3 id=\"step-2-download-and-bypass-security-signed-payload\"><span style=\"font-family: arial, helvetica, sans-serif\">Step 2: Download and Bypass Security (Signed Payload)<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">After reaching the attacker&#8217;s website, users download the file MSTeamsSetup.exe (approximately 14.3 MB) \u2014 this file is, of course, embedded with malicious code.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/Tai-xuong-va-Vuot-rao-bao-mat-Signed-Payload-1778646088.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-36186\" src=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/Tai-xuong-va-Vuot-rao-bao-mat-Signed-Payload-1778646088.png\" alt=\"Ta\u0309i Xuo\u0302\u0301ng Va\u0300 Vu\u031bo\u031b\u0323t Ra\u0300o Ba\u0309o Ma\u0323\u0302t (signed Payload) 1778646088\" width=\"1812\" height=\"955\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The first line of defense is Windows SmartScreen, which typically alerts if a file lacks a digital signature. However, the attacker embedded a valid digital signature:<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Signer:<\/strong>\u00a0Zlatin Stamatov<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Issuer:<\/strong>\u00a0Certum Code Signing 2021 CA<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Thumbprint:<\/strong>\u00a0<code>0c8bb17a1c27a39817f4e1bd74b6c616fba3faef909f94772e685e64fe34cef3<\/code><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/thumbprint-1778646098.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-36187\" src=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/thumbprint-1778646098.png\" alt=\"Thumbprint 1778646098\" width=\"1158\" height=\"501\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Having a digital signature allows this file to bypass many basic antivirus solutions and creates a false sense of security for users when checking the file properties (Properties -&gt; Digital Signatures).<\/span><\/p>\n<h3 id=\"step-3-execute-and-compromise-trojanized-rustdesk\"><span style=\"font-family: arial, helvetica, sans-serif\">Step 3: Execute and Compromise (Trojanized RustDesk)<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">When users run the installer file: Silent Execution: Instead of installing Teams, this file is actually a wrapper around the RustDesk client. It automatically extracts and executes RustDesk components in the temporary directory (%TEMP% or %APPDATA%).<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Hardcoded Configuration: This version of RustDesk has been modified (weaponized) to bypass the usual connection verification steps. Parameters like Server ID, Relay Server, and Key are pre-set to point to the attacker&#8217;s infrastructure.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Establishment: An encrypted connection is established to mon.systemautoupdater[.]com. The attacker can now see the victim&#8217;s machine appear in their control list.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/Establishment-1778646119.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-36189\" src=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/Establishment-1778646119.png\" alt=\"Establishment 1778646119\" width=\"1176\" height=\"555\" \/><\/a><\/span><\/p>\n<h2 id=\"analysis-of-infrastructure-and-opsec-failures\"><span style=\"font-family: arial, helvetica, sans-serif\">Analysis of Infrastructure and OPSEC Failures<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The infrastructure of this campaign reveals a contradiction between thorough preparation and mistakes in OPSEC (Operational Security).<\/span><\/p>\n<h3 id=\"infrastructure-overlap\"><span style=\"font-family: arial, helvetica, sans-serif\">Infrastructure Overlap<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The C2 server at IP 23.27.141[.]44 (EvoXT, New York) is hosting extremely suspicious services:<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Port 443 (HTTPS): Uses a TLS certificate issued for calipology[.]com. This is the key linking this campaign to the &#8220;calipology&#8221; entity on Telegram, which has been tracked in previous Striker C2 campaigns.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Port 3004 (Trading Bots): A cryptocurrency trading bot management dashboard (written in Svelte\/Vue) is publicly exposed. This suggests the attacker&#8217;s ultimate financial goal may be to gain wallet access or execute unauthorized transactions on the victim&#8217;s machine.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Port 21 (FTP): vFTPd 3.0.5 is open with a configuration requiring login, commonly used to exfiltrate data from the victim&#8217;s machine to the central server.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Typical vulnerabilities<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Reuse of TLS Property: Keeping the certificate for calipology[.]com on the same server as the malware is a major mistake, allowing researchers to link identities.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Redirection: Direct access to port 443 of the C2 IP is redirected to\u00a0<a href=\"https:\/\/calipology%5C[.%5C]co%5C[.%5C]uk\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/calipologycouk<\/a>\u00a0&#8211; the website of a legitimate business in the UK (brake pad restoration). This might be an attempt to create a &#8220;legitimate business&#8221; cover for the activities.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/Redirection-1778646162.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-36190\" src=\"https:\/\/cdn.fpt-is.com\/vi\/2026\/05\/Redirection-1778646162.png\" alt=\"Redirection 1778646162\" width=\"1749\" height=\"597\" \/><\/a><\/span><\/p>\n<h2 id=\"expert-opinion\"><span style=\"font-family: arial, helvetica, sans-serif\">Expert opinion<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The &#8220;Calvary&#8221; campaign exemplifies the trend of &#8220;Living-off-the-Land Tools&#8221; (LotLT). Instead of expending resources to develop sophisticated RAT malware, the attacker simply customizes legitimate Remote Desktop software.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">In Vietnam, the risk from software installation packages from &#8220;external sources&#8221; (Google search links instead of official websites) remains high due to the habits of small and medium-sized business users. The presence of malware with valid digital signatures further increases the risk of bypassing IT teams&#8217; controls, which often prioritize whitelisting digitally signed applications. Additionally, the discovery of the &#8220;Trading Bot&#8221; dashboard indicates that individual users involved in cryptocurrency trading are a primary target for this group.<\/span><\/p>\n<h2 id=\"mitre-attampck-mapping\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>MITRE ATT&amp;CK Mapping<\/strong><\/span><\/h2>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Tactic<\/strong><\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Technique<\/strong><\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\"><strong>ID<\/strong><\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Resource Development<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Acquire Infrastructure: VPS<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1583.003<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Resource Development<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Obtain Capabilities: Code Signing Certificates<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1588.003<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Initial Access<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Drive-by Compromise<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1189<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Execution<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">User Execution: Malicious File<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1204.002<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Defense Evasion<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Subvert Trust Controls: Code Signing<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1553.002<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Defense Evasion<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Masquerading: Match Legitimate Name<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1036.005<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Command and Control<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Application Layer Protocol: Web<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1071.001<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Command and Control<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Remote Access Software<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1219<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"ioc-amp-artifacts\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>IOC &amp; Artifacts<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Network Indicators<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>C2 Domain:<\/strong>\u00a0<code>mon.systemautoupdater[.]com<\/code><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>C2 IP:<\/strong>\u00a0<code>23.27.141[.]44<\/code>\u00a0(EvoXT)<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Infrastructure Domains:<\/strong>\u00a0<code>systemautoupdater[.]com<\/code>,\u00a0<code>calipology[.]com<\/code><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Redirect Target:<\/strong>\u00a0<code>calipology[.]co[.]uk<\/code><\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>File Indicators<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Filename:<\/strong>\u00a0<code>MSTeamsSetup.exe<\/code><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>SHA256:<\/strong>\u00a0<code>d01148808fbeefa22cd4541cdaaee8bc1f74e3045302115dc5b08b99ff93dc9c<\/code><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Cert Serial:<\/strong>\u00a0<code>57193231454133499427671191024346513426<\/code><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Cert Thumbprint:<\/strong>\u00a0<code>0C8BB17A1C27A39817F4E1BD74B6C616FBA3FAEF909F94772E685E64FE34CEF3<\/code><\/span><\/li>\n<\/ul>\n<h2 id=\"recommendation-mitigation\"><span style=\"font-family: arial, helvetica, sans-serif\">Recommendation (Mitigation)<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Immediate (0-24h)<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Block all IPs and domains in the IOC list at the firewall\/proxy layer.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Review DNS logs or proxy logs to search for connections to subdomains of systemautoupdater[.]com.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Conduct threat hunting on EDR to find RustDesk processes executing from uncommon paths or with suspicious outbound connection parameters.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Short-term (1-7 days)<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Implement a policy to block the execution of applications not approved by IT (Application Whitelisting\/AppLocker).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Alert users to prioritize using the Microsoft Store or the official microsoft.com site to download MS Teams.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Long-term<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Establish a process for regularly checking unusual digital certificates (Code Signing) appearing in the system.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Transition to a Zero Trust model, strictly controlling remote management connections (RMM), even those from &#8220;legitimate&#8221; tools.<\/span><\/li>\n<\/ul>\n<h2 id=\"refer\"><span style=\"font-family: arial, helvetica, sans-serif\">References<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/intel.breakglass.tech\/post\/systemautoupdater-23-27-141-44\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/intel.breakglass.tech\/post\/systemautoupdater-23-27-141-44<\/a>\u00a0<a href=\"https:\/\/bazaar.abuse.ch\/sample\/d01148808fbeefa22cd4541cdaaee8bc1f74e3045302115dc5b08b99ff93dc9c\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/bazaar.abuse.ch\/sample\/d01148808fbeefa22cd4541cdaaee8bc1f74e3045302115dc5b08b99ff93dc9c\/<\/a>\u00a0<a href=\"https:\/\/www.capesandbox.com\/analysis\/60828\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/www.capesandbox.com\/analysis\/60828\/<\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/app.any.run\/tasks\/f0af47b4-369c-45b8-b782-c31f97730a56\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">Analysis MSTeamsSetup.exe (MD5: FF8505309831284BFF66A1CFD5049DAC) Malicious activity &#8211; Interactive analysis<\/a>\u00a0<a href=\"http:\/\/any.run\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">ANY.RUN<\/a><\/span><\/p>\n<p>&nbsp;<\/p>\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\">\n<p data-start=\"0\" data-end=\"44\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exclusive article by an expert from FPT\u00a0<\/strong><\/span><\/p>\n<p data-start=\"46\" data-end=\"92\" data-is-last-node=\"\" data-is-only-node=\"\"><span style=\"font-family: arial, helvetica, sans-serif\"><em>Luu Tuan Anh \u2013 FPT Information Security Center<\/em><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"author":21,"featured_media":24443,"parent":0,"template":"","nang_luc":[821],"danh_muc_goc_nhin_so":[],"dich_vu":[],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-24442","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/24442","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/24443"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=24442"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=24442"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=24442"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=24442"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=24442"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=24442"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=24442"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=24442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}