Cybersecurity researchers have identified a new wave of social-engineering attacks where hackers are tricking employees into granting remote access to their systems through Microsoft Teams. The campaign ultimately installs a newly identified malware known as A0Backdoor.
According to a cybersecurity firm, the attackers are using tactics linked to Blitz Brigantine, also tracked as Storm-1811. This financially motivated threat cluster has previously been associated with Black Basta ransomware operations.
The attack typically begins with email bombing, where a victim’s inbox is flooded with junk messages. Shortly after, the target receives a message on Microsoft Teams from someone pretending to be internal IT support.
The attacker claims to help resolve the email issue and convinces the employee to open Quick Assist, a legitimate Microsoft remote-support tool that allows screen sharing and device control.
Earlier warnings from Microsoft had already highlighted similar tactics used by Storm-1811. In those cases, attackers sent Teams messages or voice calls from fake help desk accounts before requesting Quick Assist access.
Signed installers used to hide malware
Once the victim approves remote access, attackers quickly deploy digitally signed MSI installers disguised as Microsoft Teams components and CrossDeviceService packages.
Investigators found that some of these MSI files were hosted on Microsoft’s personal cloud storage through tokenized links. This method makes downloads appear more trustworthy and can complicate forensic investigations later.
The installers then place files in user AppData directories designed to resemble legitimate Microsoft software locations. Attackers use DLL sideloading to execute malicious code.
One example identified in the investigation was a file named Update.msi, which contained a fake hostfxr.dll instead of the legitimate Microsoft-signed .NET component. This allowed attackers to run their malicious loader while appearing to behave like normal Windows software.
Malware designed to evade detection
The loader includes several features aimed at avoiding security detection. Researchers observed runtime decryption, heavy thread creation, and anti-analysis checks that look for sandbox environments such as QEMU.
If the system appears suspicious, the malware changes its decryption logic and fails to unlock properly, making it harder for analysts to study the sample.
The final payload, called A0Backdoor, operates as a memory-resident backdoor. It first fingerprints the infected system and then communicates through covert DNS tunneling.
Instead of connecting directly to attacker servers, the malware sends MX record lookups to public DNS resolvers such as 1.1.1.1. Encoded data is hidden inside DNS labels and responses.
Researchers say this design allows the traffic to blend with normal network activity and may bypass detection systems that focus on TXT-based DNS tunneling or direct command-and-control traffic.
Previous investigations since 2024 have documented similar attack chains involving Teams impersonation, Quick Assist misuse, and deployment of tools like QakBot, Cobalt Strike, SystemBC, and eventually Black Basta ransomware.
Researchers advise organisations to treat Microsoft Teams as a potential initial-access channel. They recommend restricting Quick Assist where it is not necessary, monitoring unexpected external Teams messages, and investigating signed MSI installers appearing in unusual user-writable directories.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
