Threat Intel - Attackers Exploit Teams and Quick Assist

The Threat

A newly identified backdoor, known as A0Backdoor, has surfaced in a well-orchestrated social-engineering campaign. This campaign exploits Microsoft Teams and the Windows Quick Assist tool to gain unauthorized access to victims' machines. The threat actors behind this attack are tracked under various aliases, including Blitz Brigantine, Storm-1811, and STAC5777, with connections to the notorious Black Basta ransomware network. Active since at least August 2025, this campaign has targeted professionals in the finance and healthcare sectors, showcasing a refined attack strategy.

The attack begins with the threat group inundating the target's inbox with thousands of spam emails, creating confusion and urgency. They then reach out through Microsoft Teams, masquerading as IT support staff, and offer assistance with the email issues. Victims, believing they are communicating with legitimate support, grant remote access via Quick Assist, unwittingly allowing attackers to establish a foothold on their systems.

Who's Behind It

The threat group behind A0Backdoor has demonstrated a high level of sophistication in their methods. Analysts from BlueVoyant have identified multiple incidents linked to this campaign, revealing that the software delivered to victims is disguised as legitimate Microsoft applications. This includes not only Microsoft Teams but also a utility called CrossDeviceService, packaged as digitally signed MSI installer files. Such tactics lend the malware an appearance of authenticity, making it harder for victims to discern the threat.

The group has been building its custom toolset quietly for months, as evidenced by the use of at least three code-signing certificates dating back to July 2025. This careful planning and execution suggest a well-resourced and organized threat actor, capable of evading detection while executing their malicious activities.

Tactics & Techniques

The infection mechanism employed by A0Backdoor is particularly noteworthy. When the attackers drop the malicious MSI package onto a victim's machine, it installs a seemingly legitimate Microsoft application alongside a compromised file named hostfxr.dll. This method, known as DLL sideloading, allows the malware to run silently under the guise of a trusted process. The malicious hostfxr.dll decrypts hidden data and transfers execution to a shellcode payload, complicating analysis and detection efforts.

Moreover, the malware employs advanced techniques to avoid detection. It issues excessive CreateThread calls to crash debuggers and checks for virtual environments to evade analysis. The final payload communicates with its operators through DNS tunneling, utilizing high-entropy subdomains that blend into normal network traffic. This stealthy approach makes it challenging for security teams to identify and mitigate the threat.

Defensive Measures

Organizations must take proactive steps to defend against the A0Backdoor threat. First and foremost, restricting the use of Quick Assist across enterprise environments is crucial. Implementing policies to block unsolicited remote access sessions can significantly reduce risk. Additionally, training employees to verify any IT support contact made through Microsoft Teams before granting access or sharing credentials is essential.

Security teams should remain vigilant by monitoring for MSI packages appearing in user AppData directories and flagging outbound DNS MX queries directed at public resolvers. Furthermore, restricting Microsoft Teams external access from unrecognized tenants can help mitigate the initial contact channels exploited by this threat group. By adopting these measures, organizations can bolster their defenses against the evolving tactics employed by A0Backdoor operators.