A0Backdoor, a sophisticated new malware, is being deployed through a targeted social-engineering campaign that leverages Microsoft Teams and the Windows Quick Assist tool. Researchers have identified this backdoor as the work of threat actors linked to the Black Basta ransomware network, also known by aliases such as Blitz Brigantine, Storm-1811, and STAC5777. The campaign, active from at least August 2025 through late February 2026, has focused on financial and healthcare professionals, employing an increasingly refined attack methodology.
The initial phase of the attack involves overwhelming targets with thousands of spam emails, creating a sense of chaos and urgency. Subsequently, the threat actors contact the victim via Microsoft Teams, impersonating IT support personnel and offering assistance with the email issue. Believing they are communicating with legitimate IT staff, victims are persuaded to grant remote access through Quick Assist, a Windows utility designed for remote assistance. Once this access is secured, attackers swiftly install their tools, establishing a persistent presence on the compromised system.
BlueVoyant analysts detailed two distinct incidents linked to this campaign, noting that the malicious software was disguised as legitimate Microsoft applications, including Microsoft Teams and a utility named CrossDeviceService. These packages were delivered as digitally signed MSI installer files, enhancing their credibility as authentic software updates. Researchers also observed the use of at least three code-signing certificates dating back to July 2025, suggesting the group had been developing its custom toolset discreetly for several months.
The repercussions of this attack extend beyond the initial remote access session. The A0Backdoor gathers system information, such as usernames and computer names, to identify infected hosts before communicating with its operators. This communication is routed through DNS tunneling over public resolvers like 1.1.1.1, enabling the infected machine to avoid direct connections to attacker-controlled servers, thereby making the traffic significantly harder to detect.
The investigation identified victims including professionals at a financial institution based in Canada and a global health organization, highlighting the broad impact of this evolving threat. The successful deployment of A0Backdoor underscores the evolving tactics of cybercriminal groups seeking to exploit legitimate software and services for malicious purposes.
How the Infection Takes Hold: DLL Sideloading and the A0Backdoor
The infection mechanism employed by the A0Backdoor showcases the refined technical sophistication of the threat group. When attackers deploy the malicious MSI package onto a victim’s machine, it installs a seemingly legitimate Microsoft application alongside a maliciously altered file named hostfxr.dll. This technique, known as DLL sideloading, allows malware to execute under the guise of a trusted process, evading detection.
Normally a trusted .NET hosting component digitally signed by Microsoft, this file was replaced with a malicious version signed under the certificate name MULTIMEDIOS CORDILLERANOS SRL. When the legitimate executable initiates, it attempts to load libraries, including the hostfxr.dll. In this scenario, it loads the fraudulent DLL, enabling the malware to run undetected.
Upon execution, the compromised hostfxr.dll decrypts concealed data within its own code and transfers control to a shellcode payload. To further complicate analysis, the loader initiates an excessive number of CreateThread calls, which can disrupt debuggers during runtime. The shellcode includes checks to determine if it is operating within a virtualized environment by querying firmware tables for sandbox indicators, such as the string “QEMU.” The malware also utilizes a time-based key system, where the decryption key changes approximately every 55 hours.
Executing the malware outside of this specific time window results in an incorrect decryption key, permanently rendering the payload inoperable. The final A0Backdoor payload establishes communication with its operators through DNS MX record queries. This is achieved by using high-entropy subdomains that blend seamlessly with ordinary network traffic. Instead of registering new domains, which could trigger alerts, the operators are re-registering older, expired domain names. This strategy allows them to bypass detection tools specifically designed to identify newly registered or algorithmically generated domains.
Organizations are advised to restrict the use of Quick Assist within enterprise environments and implement policies that block unsolicited remote access sessions. Employees should be thoroughly trained to verify any IT support contact initiated through Microsoft Teams before granting access or sharing credentials. Security teams should monitor for MSI packages appearing in user AppData directories, flag outbound DNS MX queries directed at public resolvers, and look for signs of DNS tunneling activity within the network. An additional protective measure involves restricting external access to Microsoft Teams from unrecognized tenants, thereby eliminating one of the primary communication channels utilized by this threat group.