New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering
Essential information
- Published
- 07/03/2026 09:44
- Modified
- 09/03/2026 11:00
- Tags
- 2026-03-07 a0backdoor dns tunneling email bombing sideloading social engineering teams impersonation
- Related entities
- 2 observables, 1 intrusion sets (apt), 1 malware, 4 others
Description
A new backdoor, dubbed A0Backdoor, has been discovered in connection with a campaign using email bombing and IT-support impersonation over Microsoft Teams to gain Quick Assist access. The malware's loader exhibits anti-sandbox evasion techniques, and the campaign's command-and-control has shifted to a covert DNS mail exchange-based channel. This activity is attributed to the threat group Blitz Brigantine, also known as Storm-1811 or STAC5777, and shows similarities to Black Basta-linked social-engineering tactics. The attackers use digitally signed MSI packages, often hosted on Microsoft cloud storage, to deliver their proprietary tooling. The A0Backdoor employs sophisticated techniques such as time-based execution windows, runtime decryption, and DNS tunneling for covert communication. The campaign has been active since August 2025, targeting primarily the finance and health sectors.