North Korean Hackers Weaponize Fake Microsoft Teams Domain: How UNC1069 Delivers Malware via Counterfeit Meeting Invites + Video

By /

Listen to this Post

Featured Image

Introduction:

Cybercriminals are no longer just spoofing brands—they are spoofing entire workflows. In the latest escalation, North Korea-linked threat actor UNC1069 registered the counterfeit Microsoft Teams domain `onlivemeet[.]com` to lure developers and cryptocurrency professionals into executing malware disguised as a meeting platform fix. Detected on April 6, 2026, this attack leverages social engineering via Slack and Telegram, where a seemingly legitimate `teams.microsoft.com` link redirects victims to the malicious domain, tricking them into downloading a fake “meeting fix” that deploys backdoors and credential stealers.

Learning Objectives:

  • Identify and analyze counterfeit domain techniques (typosquatting, homoglyphs, subdomain spoofing) used in active social engineering campaigns.
  • Implement network-level and endpoint-level mitigations to block malicious domains and detect payload execution.
  • Perform static and dynamic analysis of suspicious meeting-invite attachments using Linux/Windows commands and open-source tools.

You Should Know:

1. Domain Forensics: Investigating Counterfeit Microsoft Teams Domains

Attackers register lookalike domains to bypass URL filters. In this case, `onlivemeet[.]com` mimics legitimate Teams meeting URLs. To investigate such domains, use the following commands and steps.

Step‑by‑step guide to analyze a suspicious domain:

  1. WHOIS Lookup – Identify registration date, registrar, and name server.

– Linux: `whois onlivemeet.com` (replace with actual domain; note the defanged `[.]` should be converted to `.` for real analysis)
– Windows: `nslookup -type=NS onlivemeet.com` then use `whois` via Sysinternals `whois.exe` or online.
2. DNS Enumeration – Find A, MX, TXT records.
– `dig onlivemeet.com ANY` (Linux) or `Resolve-DnsName -Type ANY onlivemeet.com` (PowerShell)
3. SSL Certificate Analysis – Check for cert issuance to fraudulent domains.
– `openssl s_client -connect onlivemeet.com:443 -servername onlivemeet.com | openssl x509 -text`
4. VirusTotal Lookup – Submit domain hash for reputation.
– Use `curl -s “https://www.virustotal.com/api/v3/domains/onlivemeet.com” -H “x-apikey: YOUR_API_KEY”` (requires free API key)

What to look for: Recently registered (less than 30 days), free TLS certs (Let’s Encrypt), and mismatched MX records. UNC1069 domains often use name servers associated with bulletproof hosting.

2. Social Engineering Artifact Extraction from Slack/Telegram

The attack begins with a crafted meeting invitation over Slack or Telegram. The displayed URL appears as `teams.microsoft.com/meeting/join?token=…` but the underlying hyperlink points to onlivemeet[.]com/fix/setup.exe.

Step‑by‑step guide to extract and analyze hidden URLs:

1. On Slack/Telegram Desktop:

  • Hover over the link without clicking—status bar reveals true destination.
  • Right-click > “Copy link address” and paste into a sandboxed text file.
  1. Command-line extraction from chat logs (if you have access):

– Slack export JSON: `jq ‘.[] | .text’ slack_export.json | grep -Eo ‘https?://[^ ]+’` (Linux)
– Windows PowerShell: `Select-String -Path .\chat_log.txt -Pattern ‘http

?://' | ForEach-Object { $_.Matches.Value }`


<h2 style="color: yellow;">3. Sandboxed analysis:</h2>

<ul>
<li>Use `curl -I -L --max-redirs 0 "https://teams.microsoft.com/..."` to see HTTP redirect chain.</li>
<li>Example output: `HTTP/1.1 302 Found Location: http://onlivemeet.com/fix`
<h2 style="color: yellow;">4. Decode obfuscated parameters:</h2>
- Attackers may URL-encode or base64-encode redirect paths.
- Decode with: `echo "JTJGZml4JTJGc2V0dXAuZXhl" | base64 -d` (Linux) or `[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("..."))` (PowerShell)</li>
</ul>

Pro tip: Always analyze in a VM or sandbox (Cuckoo, CAPE) to avoid accidental execution. The malware payload is often a signed executable with delayed execution to evade sandboxes.

<h2 style="color: yellow;">3. Malware Payload Analysis: Static & Dynamic Basics</h2>

The fake “meeting fix” (e.g., <code>Teams_Update_Setup.exe</code>) is a downloader that fetches additional stages from C2 servers. Use these commands to triage suspicious files.

<h2 style="color: yellow;">Step‑by‑step static analysis (Linux):</h2>

<h2 style="color: yellow;">1. File type identification: `file Teams_Update_Setup.exe`</h2>

<ol>
<li>Extract strings: `strings -n 8 Teams_Update_Setup.exe | grep -iE 'http|dll|powershell|cmd|reg'`
3. Check PE headers: `exiftool Teams_Update_Setup.exe` or `pescan` (install via <code>apt install pescan</code>)</li>
<li>Calculate hash: `sha256sum Teams_Update_Setup.exe` – then query VirusTotal via API or web.</li>
<li>Extract indicators (Linux): `strings Teams_Update_Setup.exe | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -u` for IP addresses.</li>
</ol>

<h2 style="color: yellow;">Dynamic analysis (Windows sandbox with Wireshark + Procmon):</h2>

<ul>
<li>Run the executable in a Windows 10/11 sandbox (Hyper-V isolated).</li>
<li>Monitor network connections: `netstat -anob` or use <code>TCPView</code>.</li>
<li>Capture DNS queries: `nslookup` or use `Wireshark` filter <code>dns.qry.name contains "onlivemeet"</code>.</li>
<li>Observe process creation: `wmic process get name,parentprocessid,processid` or use `Process Monitor` filter <code>Process Name is Teams_Update_Setup.exe</code>.</li>
</ul>

Typical UNC1069 behavior: The payload drops a VBScript in `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup` for persistence, then injects into `explorer.exe` to beacon to C2 on port 443 (HTTPS).

<ol>
<li>Mitigation: Blocking Malicious Domains at Network & Endpoint Level</li>
</ol>

Prevent initial access by blocking `onlivemeet[.]com` and similar patterns. Apply these configurations immediately.

<h2 style="color: yellow;">Step‑by‑step blocking strategies:</h2>

<ul>
<li>Windows Hosts File (Emergency block):</li>
<li>Edit `C:\Windows\System32\drivers\etc\hosts` as administrator.</li>
<li>Add: `0.0.0.0 onlivemeet.com` and <code>127.0.0.1 onlivemeet.com</code>.</li>
<li>Flush DNS: `ipconfig /flushdns`
</li>
<li>Linux iptables (outbound drop):
[bash]
sudo iptables -A OUTPUT -d onlivemeet.com -j DROP
sudo iptables -A OUTPUT -d 192.0.2.0/24 -j DROP  Replace with actual malicious IPs
sudo iptables-save > /etc/iptables/rules.v4

  • DNS Filtering (Pi-hole, OpenDNS, Cloudflare Gateway):

  • Add regex block: `(onlivemeet|teams-?update|microsoft-?meeting)\.com`
    – For Microsoft Defender for Endpoint: Create custom indicator with `onlivemeet.com` as URL, action “Block”.

  • Firewall rule (pfSense/OPNsense):

  • Create an alias “MaliciousTeamsDomains” with `onlivemeet.com` and any newly discovered domains.

  • Add rule: Block traffic from LAN to alias on ports 80,443, with logging enabled.

  • EDR policy (CrowdStrike, SentinelOne):

  • Deploy a hunting query: `ProcessCmdline = “onlivemeet” OR DomainName = “onlivemeet.com”` – set to kill process and quarantine.
    1. Cloud Hardening for Microsoft Teams & Office 365

    Prevent fake domain attacks by hardening your Microsoft 365 tenant. These steps reduce the risk of users being tricked.

    Step‑by‑step configuration (requires Global Admin role):

    1. Enable Safe Links in Defender for Office 365:

    – Go to Security Admin Center > Policies & rules > Threat policies > Safe Links.
    – Create policy for all users, set “On” for Teams, enable “Do not rewrite URLs” but turn ON “Scan URLs in Microsoft Teams”.
    – Action: Block messages with malicious links.

    2. Conditional Access to restrict Teams access:

    • Azure AD > Conditional Access > New policy.
    • Assign all users, cloud apps = Microsoft Teams.
    • Grant “Require compliant device” or “Require hybrid joined device”.
    • Session control: Use “Application enforced restrictions” to block unmanaged device access.

    3. Anti-phishing policy:

    • In Defender for Office 365, edit the default anti-phishing policy.
    • Add impersonation protection for domains: microsoft.com, teams.microsoft.com.
    • Add users to protect: CEO, IT Admin, Finance.

    4. Audit and alerting:

    • Run `Search-UnifiedAuditLog -Operations “UrlClick” -StartDate (Get-Date).AddDays(-7)` (Exchange Online PowerShell).
    • Create alert in Microsoft 365 Defender: Alert when any user clicks a URL containing “onlivemeet” or “teams-”.
    1. Incident Response: What to Do After a User Executes the Payload

    If a developer or crypto professional has already run the fake meeting fix, follow this IR checklist.

    Immediate steps (Windows environment):

    1. Isolate the host: Disable network adapter or pull Ethernet cable.

    2. Terminate malicious processes:

    taskkill /IM Teams_Update_Setup.exe /F
taskkill /IM powershell.exe /F  if spawned by malware

    3. Remove persistence:

    • Check startup folders: `shell:startup` and shell:common startup.
    • Delete any .vbs, .ps1, or `.lnk` files modified in last hour:
      `powershell “Get-ChildItem -Path $env:APPDATA -Recurse | Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-1)}”`

    4. Collect forensic artifacts:

    • Recent files: `Get-ChildItem -Path C:\Users\ -Recurse -Include .exe,.dll -ErrorAction SilentlyContinue | Where-Object {$_.CreationTime -gt (Get-Date).AddDays(-1)}`
      – Network connections log: `netstat -anob > netlog.txt`
      – Event logs: `wevtutil epl Security security.evtx`
    1. Reset credentials: Force password reset for the affected user and any service accounts used. Revoke all session tokens in Azure AD.

    2. Check for lateral movement: Use `Get-WinEvent -FilterHashtable @{LogName=’Security’;ID=4624} | Where-Object {$_.Message -match “Network”} | Select-Object TimeCreated, @{n=’User’;e={$_.Properties[bash].Value}}`

    Linux variant (if payload is ELF or Wine-executable):

    • Kill process: `pkill -f onlivemeet`
      – Check crontab: `crontab -l` and `sudo crontab -l`
      – Remove malicious files: `find /home -name “teams” -type f -mmin -60 -delete`

    7. Training and Simulated Phishing Exercises

    Build a security-aware culture to recognize fake meeting invitations. Use open-source tools to simulate similar attacks.

    Step‑by‑step to create a safe simulation:

    1. Set up Gophish (open-source phishing framework):

    • Install: `wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip`
    • Unzip and run: `./gophish`
      – Access admin console at `https://localhost:3333` (default creds: admin/gophish)

    2. Create a fake Teams meeting template:

    1. Configure sending profile: Use an internal SMTP relay or a test email server (like MailHog) to avoid real spam.

    2. Launch campaign to 10-20 users weekly. Track who clicks and provide immediate micro-training.

    3. Measure success: Aim for click rate below 5%. If above, deploy additional controls like browser extension that warns on lookalike domains (e.g., “Punycode Alert” for Chrome).

    What Undercode Say:

    • Key Takeaway 1: Domain typosquatting combined with legitimate collaboration platforms (Slack/Telegram) bypasses traditional email filters. Organizations must implement URL rewriting and sandboxed link analysis for all third-party chat apps.
    • Key Takeaway 2: Static defense is insufficient; incident response must include rapid IOC sharing. The `onlivemeet[.]com` domain was live for only 48 hours before takedown, but the payload’s C2 infrastructure remained active via fast-flux DNS.

    Attackers are weaponizing trust in digital collaboration tools. The UNC1069 campaign demonstrates that social engineering now targets moments – a meeting glitch, a delayed start, a “perfect fix” – rather than just brands. Defenders need to shift from perimeter blocking to behavioral detection: monitor for processes with “Teams” in name that spawn child processes (PowerShell, cmd, wscript), and enforce application allowlisting for developer workstations. Additionally, crypto professionals should run all meeting software in disposable virtual machines. The future will see AI-generated fake meeting domains with valid SSL certs and deepfake audio confirmations. Proactive threat hunting using domain generation algorithm (DGA) prediction and homoglyph detection is no longer optional.

    Prediction:

    The next evolution of this technique will involve real-time domain generation using large language models to create thousands of unique, believable Teams lookalike domains (e.g., teams-meet-{random}.com) that are registered via domain fronting and rotated every hour. Combined with deepfake audio over VoIP during fake “pre-meeting checks,” attackers will bypass even multi-factor authentication by tricking users into approving MFA push notifications under the guise of “meeting authentication.” Expect to see this tactic adopted by ransomware gangs targeting IT help desks, with fake Teams support calls delivering remote access tools. Organizations should prepare by implementing conditional access policies that block any Teams sign-in from non-corporate domains and require FIDO2 hardware tokens for all remote access.

    ▶️ Related Video (76% Match):

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Cybersecuritynews Microsoft – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

    Related Posts: