Malware And CampaignsCampaign

MEOWBACKCONN intrusion chain uses Microsoft Teams MSI and encrypted PowerShell backdoor

April 3, 2026The DFIR Report

The DFIR Report describes MEOWBACKCONN initial access via a malicious Microsoft Teams MSI installer, followed by encrypted PowerShell backdoor activity and credential access via SAM registry dumping.

Open in PulseSee the full expert discussion →

QUOTES

The DFIR Report recently observed MEOWBACKCONN again in the wild:

➡️ Initial Access: Malicious Microsoft Teams MSI Installer

➡️ Execution: Encrypted PowerShell backdoor

➡️ Credential Access: SAM Registry Dump

VOICES

The DFIR Report

RELATED TERMS

malwaremicrosoftincident responsemicrosoftmalwareincident response

OTHER FINDINGS IN MALWARE AND CAMPAIGNS

Axios npm package compromise, WAVESHAPER.V2 cross platform RAT Handala Hack Telegram threat claiming imminent Lockheed Martin data leak Telnyx PyPI compromise (TeamPCP) shipping malware in telnyx 4.87.1/4.87.2

AMYGDALA PULSE

See what experts are saying right now

This finding is one of many signals tracked across Cyber Security. The live feed updates every few hours with new expert voices, debates, and emerging ideas.

Open Cyber Security Pulse Browse all topics

← Back to Cyber Security