Quick, You Need Assistance!

Feb. 2, 2026, 11:06 a.m.

Description

A Microsoft Teams voice-phishing campaign leveraging Quick Assist, a remote administration tool, was tracked in September 2025. The campaign uses help desk scams to gain initial access, followed by user group enumeration and the execution of a PowerShell script to download a command and control payload. The attack employs AMSI bypass, encrypted communications, and a web-socket remote access trojan. Multiple Microsoft 365 tenants with IT-related subdomains were used, along with various IPs and domains for C2 infrastructure. The campaign shows similarities to Storm-1811 and PhantomCaptcha activities, suggesting a complex cybercrime ecosystem. The attackers' ultimate goal may be ransomware deployment, although observed attempts were successfully blocked.

External References

https://otx.alienvault.com/pulse/698081e8c82411d000808025
https://fieldeffect.com/blog/quick-you-need-assistance
Tags
powershell
cybercrime
microsoft teams
remote access trojan
amsi bypass
quick assist
2026-02-02
netsupport manager
powershell web-socket remote access trojan
voice-phishing

Date

  • Created: Feb. 2, 2026, 10:52 a.m.
  • Published: Feb. 2, 2026, 10:52 a.m.
  • Modified: Feb. 2, 2026, 11:06 a.m.

Indicators

  • 162.252.172.245
  • 162.252.172.74
  • 164.173.252.162
  • 162.252.172.102
  • 165.172.252.162
  • 162.252.172.83
  • 162.252.172.16
  • 162.252.172.21
  • 162.252.174.119
  • 162.252.173.45
  • 149.154.158.86
  • https://prosearium.net/setting.pdf
  • https://aerobionix.com/generation.pdf
Download all indicators here!

Attack Patterns

  • NetSupport Manager
  • PowerShell web-socket remote access trojan

Additional Informations

  • khanvas.com
  • mdbelaluddin.com
  • ibizers.com
  • aerobionix.com
  • j4jobspk.com
  • aeobionix.com
  • prosearium.net
  • flyskyenterprise.com
  • maxolutions243.com