216.73.217.80

New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering

· Published 07/03/2026 09:44 · Modified 09/03/2026 11:00

Export JSON

Essential information

Published
07/03/2026 09:44
Modified
09/03/2026 11:00
Tags
2026-03-07 a0backdoor dns tunneling email bombing sideloading social engineering teams impersonation
Related entities
2 observables, 1 intrusion sets (apt), 1 malware, 4 others

Description

A new backdoor, dubbed , has been discovered in connection with a campaign using and IT-support impersonation over Microsoft Teams to gain Quick Assist access. The malware's loader exhibits anti-sandbox evasion techniques, and the campaign's command-and-control has shifted to a covert DNS mail exchange-based channel. This activity is attributed to the threat group Blitz Brigantine, also known as Storm-1811 or STAC5777, and shows similarities to Black Basta-linked social-engineering tactics. The attackers use digitally signed MSI packages, often hosted on Microsoft cloud storage, to deliver their proprietary tooling. The employs sophisticated techniques such as time-based execution windows, runtime decryption, and for covert communication. The campaign has been active since August 2025, targeting primarily the finance and health sectors.

External references