Attackers Abuse Microsoft Teams and Quick Assist to Drop Stealthy A0Backdoor

A newly identified backdoor called A0Backdoor has emerged as part of a calculated social-engineering campaign that abuses Microsoft Teams and the Windows remote assistance tool Quick Assist.

The threat group is tracked under aliases including Blitz Brigantine, Storm-1811, and STAC5777, and holds ties to the Black Basta ransomware network.

Active since at least August 2025 and continuing through late February 2026, this campaign has targeted professionals in the finance and healthcare sectors with an increasingly refined attack chain.​

The attack begins by flooding the target’s inbox with thousands of spam emails, creating confusion and urgency.

The threat group then contacts the victim through Microsoft Teams, posing as IT support staff and offering to help resolve the email issue.

The victim, believing they are talking to company support, grants remote access through Quick Assist, a built-in Windows tool that lets one computer be controlled by another.

With that access secured, the attackers quickly plant their own tools and establish a lasting foothold on the compromised machine.​

BlueVoyant analysts identified two separate incidents tied to this campaign and found the software delivered to victims was disguised as legitimate Microsoft applications, including Microsoft Teams and a utility called CrossDeviceService.

The packages arrived as digitally signed MSI installer files, lending them the look of authentic software updates.

Researchers also noted that at least three code-signing certificates were used dating back to July 2025, suggesting the group had been building its custom toolset quietly for months.​

The consequences of this attack extend well beyond the initial remote session. The A0Backdoor collects system details like the username and computer name to fingerprint the infected host before reaching out to its operators.

That communication travels through DNS tunneling over public resolvers like 1.1.1.1, so the infected machine avoids any direct connection to attacker-controlled servers, making the traffic far harder to flag.

Victims identified in the investigation included professionals at a Canada-based financial institution and a global health organization.​

How the Infection Takes Hold: DLL Sideloading and the A0Backdoor

The infection mechanism behind A0Backdoor shows how far this group has refined its technical approach.

When the attacker drops the malicious MSI package onto the victim’s machine, it installs a legitimate-looking Microsoft application alongside a tampered file called hostfxr.dll.

Normally a trusted .NET hosting component signed by Microsoft, this file was swapped with a malicious copy signed under the certificate name MULTIMEDIOS CORDILLERANOS SRL.

When the legitimate executable runs, it loads this fake DLL — a method known as DLL sideloading — letting the malware run silently under the cover of a trusted process.​

Once loaded, the malicious hostfxr.dll decrypts data hidden in its own code and transfers execution to a shellcode payload.

To complicate analysis, the loader issues excessive CreateThread calls that can crash debuggers during runtime.

The shellcode checks if it is running in a virtual environment by querying firmware tables for sandbox indicators like the string “QEMU,” and uses a time-based key system where the decryption key shifts roughly every 55 hours.

Executing the malware outside that window produces the wrong key, leaving the payload permanently locked.​

The final A0Backdoor payload connects to its operators through DNS MX record queries using high-entropy subdomains that blend into ordinary network traffic.

Instead of registering fresh domains that might raise flags, the operators re-registered older, lapsed domain names, slipping past detection tools tuned to spot newly registered or algorithmically generated domains.​

Organizations should restrict Quick Assist usage across enterprise environments and implement policies that block unsolicited remote access sessions.

Employees should be trained to always verify any IT support contact made through Microsoft Teams before granting access or sharing credentials.

Security teams should watch for MSI packages appearing in user AppData directories, flag outbound DNS MX queries directed at public resolvers, and monitor for DNS tunneling activity within the network.

Restricting Microsoft Teams external access from unrecognized tenants removes one of the primary channels this threat group relies on for initial contact.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.