Cybercriminals Exploit Microsoft Teams and Quick Assist to Deploy Stealthy A0Backdoor
A sophisticated cyberattack campaign has emerged, leveraging Microsoft Teams and the Windows Quick Assist tool to infiltrate corporate networks. This operation introduces a new malware strain, A0Backdoor, and is attributed to a threat group known as Blitz Brigantine, also identified as Storm-1811 and STAC5777, with connections to the Black Basta ransomware syndicate.
Attack Overview
Since August 2025, this campaign has primarily targeted professionals in the finance and healthcare sectors. The attackers initiate their scheme by overwhelming the victim’s email inbox with a deluge of spam messages, creating confusion and urgency. Subsequently, they contact the victim via Microsoft Teams, masquerading as IT support personnel offering assistance to resolve the email issue. Trusting the apparent legitimacy of the communication, the victim grants remote access through Quick Assist, a native Windows tool designed for remote support. This access allows the attackers to deploy their malicious payloads and establish a persistent presence on the compromised system.
Deployment of A0Backdoor
Upon securing remote access, the attackers deliver software disguised as legitimate Microsoft applications, including Microsoft Teams and a utility named CrossDeviceService. These are presented as digitally signed MSI installer files, enhancing their credibility. Analysis reveals that at least three code-signing certificates, dating back to July 2025, were utilized, indicating a prolonged and deliberate development phase.
The A0Backdoor malware collects system information such as the username and computer name to fingerprint the infected host. It communicates with its operators through DNS tunneling over public resolvers like 1.1.1.1, effectively masking the traffic and making detection more challenging. Identified victims include professionals at a Canadian financial institution and a global health organization.
Infection Mechanism: DLL Sideloading
The infection process employs DLL sideloading, a technique where a legitimate application loads a malicious DLL file placed in the same directory. In this case, the attackers replace the legitimate hostfxr.dll, a .NET hosting component signed by Microsoft, with a malicious version signed under the certificate name MULTIMEDIOS CORDILLERANOS SRL. When the legitimate executable runs, it loads the malicious DLL, allowing the malware to execute under the guise of a trusted process.
The malicious hostfxr.dll decrypts embedded data and transfers execution to a shellcode payload. To evade analysis, the loader issues excessive CreateThread calls, potentially crashing debuggers during runtime. The shellcode checks for virtual environments by querying firmware tables for indicators like the string QEMU and uses a time-based key system where the decryption key changes approximately every 55 hours. Executing the malware outside this window results in an incorrect key, rendering the payload inaccessible.
Command and Control Communication
The A0Backdoor establishes communication with its operators through DNS MX record queries using high-entropy subdomains, blending into normal network traffic. Instead of registering new domains that might raise suspicion, the attackers re-register older, lapsed domain names, evading detection tools designed to flag newly registered or algorithmically generated domains.
Mitigation Strategies
Organizations are advised to implement the following measures to mitigate such attacks:
– Restrict Quick Assist Usage: Disable or limit the use of Quick Assist across enterprise environments and enforce policies that block unsolicited remote access sessions.
– Employee Training: Educate employees to verify any IT support contact made through Microsoft Teams before granting access or sharing credentials.
– Monitor for Suspicious Activity: Security teams should monitor for MSI packages appearing in user AppData directories, flag outbound DNS MX queries directed at public resolvers, and watch for DNS tunneling activity within the network.
– Restrict External Access: Limit Microsoft Teams external access from unrecognized tenants to remove one of the primary channels this threat group relies on for initial contact.
By implementing these strategies, organizations can enhance their defenses against sophisticated social engineering attacks that exploit trusted communication platforms and remote support tools.
