New Attack Campaign Exploits Microsoft Teams Impersonation to Install A0Backdoor Malware

Cybersecurity researchers have discovered a new attack campaign that combines email bombing, Microsoft Teams impersonation, and Quick Assist–based social engineering to breach corporate systems. Once attackers gain remote access, they deploy a newly identified malware family known as A0Backdoor to maintain covert control over compromised machines.

According to BlueVoyant researchers, the attackers begin by overwhelming a victim’s inbox with spam to create confusion, then quickly follow up with a message on Microsoft Teams while impersonating internal IT staff offering help. This combination of disruption and fraudulent reassurance makes targets more likely to trust the impostor, who then instructs them to open Microsoft’s Quick Assist tool, which grants the attacker remote access to their machine.

Once connected, the threat actor silently deploys digitally signed MSI installers that appear to be legitimate Microsoft components but actually contain malicious payloads. These installers use techniques like DLL sideloading and anti-analysis measures to launch the A0Backdoor. It enables covert persistence and communication through DNS-based channels and blends seamlessly into normal enterprise activity.

How does the A0Backdoor malware evade detection?

The loader is designed to resist analysis by decrypting its code only at runtime, which spawns numerous threads to disrupt debugging, and checks for signs of virtualization or sandbox environments before executing the next stage. These evasive behaviors help it blend in with normal system activity as well as prepare and deliver the A0Backdoor payload without revealing its true intentions.

A0Backdoor operates entirely in memory, which allows it to avoid leaving traditional file traces while gathering details about the compromised system and quietly exchanging data through DNS MX–based tunneling that resembles ordinary DNS activity. This malware is part of a broader campaign attributed to the threat group Blitz Brigantine (also known as Storm‑1811 or STAC5777), which has connections to operations associated with Black Basta. The attacks primarily focus on finance and healthcare organizations, which are valuable targets due to sensitive data.

Security measures organizations should implement

Organizations can reduce their exposure to this campaign by tightening controls around remote‑support tools and strengthening communication security. Moreover, administrators should limit or disable the use of Quick Assist, monitor for unexpected Teams messages, and enforce strict verification procedures for any IT‑related contact to help prevent attackers from gaining initial trust and remote access. Companies should also closely monitor MSI installers that are unusual or unsigned, particularly those that mimic Microsoft components or originate from personal cloud storage.

It’s highly recommended to strengthen detection capabilities within corporate networks. Security teams should enhance monitoring for DLL sideloading behavior, anomalous DNS MX traffic, and signs of runtime‑decrypted or anti‑analysis malware activity. Organizations should also ensure employee awareness training and vigilant endpoint monitoring to prevent the exploitation of trusted collaboration platforms such as Microsoft Teams.