Posted in

Attackers Abuse Microsoft Teams and Quick Assist to Deploy Stealthy A0 Backdoor

by Rakesh0

Attackers Abuse Microsoft Teams and Quick Assist to Deploy Stealthy A0Backdoor

A sophisticated social‑engineering campaign is exploiting Microsoft Teams and Quick Assist, the built‑in remote assistance tool in Windows, to deliver a newly identified malware strain known as A0Backdoor. The operation is attributed to a threat group tracked as Blitz Brigantine, Storm‑1811, and STAC5777, with established ties to the Black Basta ransomware ecosystem.

Active since August 2025 and continuing through February 2026, the campaign has primarily targeted financial and healthcare professionals, leveraging trust in enterprise collaboration and remote‑support tools to compromise victims.

🚨 Social Engineering: The Initial Attack Chain

The intrusion begins with a high‑volume email flooding attack, where the threat actor sends thousands of spam messages to the victim’s inbox. The resulting confusion and urgency set the stage for the next step: fake support outreach.

The attackers then contact the victim through Microsoft Teams, impersonating internal IT support and offering help to fix the email issue. Believing the communication to be legitimate, the victim grants remote access via Quick Assist, allowing the adversary to control the system directly.

Once Quick Assist access is established, the threat actor quickly deploys tools, implants malware, and prepares the system for long‑term persistence.

🛠️ Malware Delivery: Digitally Signed Payloads Masquerading as Microsoft Tools

Investigators identified two incidents in which A0Backdoor was distributed through MSI packages disguised as:

  • Microsoft Teams installers
  • A utility named CrossDeviceService

These MSI files were digitally signed, giving them the appearance of authentic, trusted software. Researchers found at least three separate code‑signing certificates used as far back as July 2025, indicating long‑term preparation and toolset development.

Once executed, these installers deployed files intended to mimic legitimate Microsoft components.

🧬 How A0Backdoor Establishes Persistence: DLL Sideloading

A0Backdoor’s sophistication is best demonstrated in its DLL sideloading technique.

1. Malicious hostfxr.dll

The MSI file installs what appears to be a normal Microsoft application, but swaps the legitimate hostfxr.dll — a real .NET runtime file — with a malicious version signed under the name “MULTIMEDIOS CORDILLERANOS SRL.”

2. Execution Under a Trusted Process

When the real executable runs, it loads the fake DLL, which allows the malware to execute silently, disguised as a trustworthy Microsoft component.

3. Encrypted Payload & Evasion Techniques

Inside the malicious DLL:

  • The malware decrypts embedded payload data and transfers execution to the hidden shellcode.
  • It spawns excessive CreateThread calls to crash debuggers and frustrate analysis.
  • The malware checks for virtualization by scanning firmware tables for keywords like QEMU.
  • A time‑based decryption key, rotating roughly every 55 hours, prevents execution outside the intended window, keeping analysis difficult.

🌐 Stealthy Command‑and‑Control Through DNS Tunneling

Once operational, A0Backdoor fingerprints the infected device by collecting:

  • Username
  • Computer name
  • System metadata

Instead of connecting to attacker infrastructure directly, the malware uses DNS MX record queries to send data through public DNS resolvers (e.g., 1.1.1.1)—a stealth technique that blends malicious traffic into normal enterprise DNS patterns.

To avoid triggering security tools that flag newly registered domains, the attackers re‑registered expired domain names to use as covert C2 destinations.

Victims confirmed in the campaign include:

  • A Canadian financial services professional
  • A global healthcare organization staffer

💥 Deep Dive: The Loader and Payload Architecture

DLL Sideloading Loader

  • Loads as part of a trusted Microsoft process
  • Unpacks encrypted shellcode from its own resources
  • Uses anti‑VM and anti‑debugging logic
  • Initiates DNS‑based communication

A0Backdoor Payload

  • Operates fully over DNS tunneling
  • Uses high‑entropy subdomains for stealth
  • Relies on MX queries for command/responses
  • Avoids direct IP contact with malicious hosts
  • Passes through standard enterprise DNS traffic undetected

🛡 Recommended Mitigations for Organizations

Because the attack leverages legitimate enterprise tools (Teams and Quick Assist), organizations must strengthen user awareness and enforce strict access policies:

1. Restrict or Disable Quick Assist

Block Quick Assist unless explicitly needed in managed helpdesk environments.

2. Validate All IT Support Communications

Train employees to:

  • Verify support personnel through official channels
  • Never approve unsolicited remote‑access requests
  • Treat unexpected Teams messages with suspicion

3. Harden External Access Controls

  • Limit or disable Microsoft Teams external access
  • Block unknown or untrusted tenants from initiating chats

4. Monitor for Suspicious MSI Installers

Flag MSI packages appearing in:

  • %AppData%
  • %LocalAppData%

Especially those signed by unknown certificate authorities.

5. Detect DNS‑Based C2 Patterns

Implement alerting for:

  • High‑entropy DNS subdomains
  • Suspicious MX record lookups
  • Repeated DNS queries to public resolvers with abnormal patterns

6. Strengthen Endpoint Monitoring

Ensure EDR coverage of:

  • Execution of hostfxr.dll outside Windows directories
  • Excessive thread creation patterns
  • Processes calling DNS APIs with irregular parameters

Conclusion

The A0Backdoor campaign demonstrates a dangerous evolution in social engineering and stealth persistence. By abusing Microsoft Teams trust relationships, Quick Assist’s remote‑access capabilities, and MSI installers signed with stolen certificates, attackers create a convincing and highly evasive attack chain. Combined with DNS‑based command‑and‑control and advanced anti‑analysis features, A0Backdoor represents a significant threat to enterprise environments—especially in finance and healthcare.

Organizations must respond with a blend of user training, tool restrictions, network monitoring, and endpoint defenses to prevent future compromises.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *