Intel Name: Madmxshell deployed via trojanized installer for globalprotect
Date of Scan: May 8, 2025
Impact: High
Summary: We have analyzed multiple recent incidents where threat actors exploited Microsoft Teams to target victims. Posing as the organization’s Help Desk, the attackers initiate contact via Teams messages. They then attempt to persuade users to execute a Trojanized version of the GlobalProtect installer. GlobalProtect is a VPN and remote access tool used by Palo Alto Networks customers.
