“Lorem Ipsum” Loader Weaponizing Microsoft Teams via SEO Poisoning

A new and operationally disciplined threat actor has emerged, demonstrating just how quickly a “mid-tier” criminal group can evolve into a formidable adversary. Security researchers from the BlueVoyant Security Operations Center (SOC) and Threat Fusion Cell (TFC) have been tracking a global SEO-poisoning campaign that weaponizes one of the most trusted tools in the modern enterprise: Microsoft Teams.

The campaign, which distributes a sophisticated multi-stage shellcode loader and backdoor designated as “Lorem Ipsum,” has been active since at least February 2026. In a mere ten weeks, the group transformed from a minimally obfuscated test build into a “meaningfully funded” threat with a high development velocity.

The operators invest heavily in SEO-poisoning campaigns designed to outrank legitimate Microsoft download results. By opportunistically targeting users searching for Microsoft Teams across at least six countries—including a confirmed successful interdiction of a U.S.-based healthcare-sector client—the group ensures a steady stream of high-value victims.

As the researchers noted in their assessment, “The combination of validly signed installers, multi-stage in-memory loader chains, JFIF-disguised C2 traffic, per-victim UUID tracking, and creative dead-drop abuse of a legitimate regional platform produces a meaningfully harder-to-detect delivery and command profile than typical commodity operations”.

The “Lorem Ipsum” loader chain is a masterclass in modern evasion. To bypass standard security perimeters, the group utilizes:

• The systematically procure Microsoft ID verified code-signing certificates with short, three-day “burn cycles” to stay ahead of certificate revocation lists.
• The loader features substitution cipher decoding, XOR-encrypted shellcode stubs, and DLL sideloading to keep the primary payload from touching the disk.
•  Command-and-Control (C2) traffic is cleverly disguised as JFIF image files, a tactic designed to blend in with legitimate web traffic.
• Most distinctively, the loader abuses letsdiskuss[.]com, a legitimate India-based blogging and Q&A platform, as a dead-drop resolver for its C2 infrastructure across multiple attacker-controlled profiles.

While the group relies on SEO poisoning and hardcoded API strings—suggesting they may not yet have reached the tier of an advanced persistent threat (APT)—their trajectory is “clearly upward”. BlueVoyant assesses with moderate confidence that this group may be operating as an initial access broker, establishing persistent footholds in sensitive networks to sell to downstream actors.

The researchers emphasize that this is a “well-resourced and rapidly maturing” threat. Their ability to sustain meaningful operational expenditure on disposable domains, dedicated hosting, and short-lived certificates distinguishes them from low-budget commodity operators.

The Lorem Ipsum campaign is a potent reminder that trust in legitimate platforms like Microsoft Teams can be effectively weaponized.

“The combination of systematically procured Microsoft ID verified code-signing certificates with three-day burn cycles, continuously registered NameCheap infrastructure weaponized within hours, and sustained SEO-poisoning operations suggests a meaningfully funded mid-tier criminal actor whose development velocity warrants proactive defender attention,” the report warns.