A social-engineering campaign abusing Microsoft Teams and Windows Quick Assist is evolving again, with BlueVoyant warning that the attackers are now deploying a newly identified malware family called A0Backdoor after convincing employees to hand over remote access.
The activity overlaps with tactics previously tied to Blitz Brigantine, also tracked as Storm-1811, a financially motivated cluster Microsoft has linked to Black Basta ransomware operations.
According to BlueVoyant, the attacks typically begin with email bombing, where a target is overwhelmed with junk messages and then contacted by someone posing as internal IT support over Microsoft Teams.
The attacker offers to help fix the email problem and persuades the employee to launch Quick Assist, a legitimate Microsoft remote-support tool that allows screen sharing and device control.
Microsoft previously warned that Storm-1811 used the same approach, sending Teams messages and calls from fake help desk accounts before requesting Quick Assist access.
Signed MSI Installers Hide a New Backdoor
Once the victim approves the session, BlueVoyant says the attackers move quickly to deploy digitally signed MSI installers disguised as Microsoft Teams-related components and CrossDeviceService packages.
In the cases investigated, some of those MSI files were hosted on Microsoft’s personal cloud storage through tokenized links, a delivery method that makes the downloads appear more trustworthy and can complicate later forensic collection.
BlueVoyant found that the installers dropped files into user AppData paths that mimicked legitimate Microsoft software locations, then relied on DLL sideloading to launch malicious code.
One sample highlighted by the company, Update.msi, included a fake hostfxr.dll in place of the legitimate Microsoft-signed .NET component, allowing the attackers to execute their loader while blending in with normal Windows and Microsoft software behavior.
The loader was built to frustrate defenders. BlueVoyant said it used runtime decryption, heavy thread creation, and anti-analysis logic, including checks for sandbox artifacts such as QEMU, before unlocking the next-stage payload.
If the environment looked wrong, the malware could alter its keying logic and fail to decrypt correctly, making the sample harder to analyze outside the intended conditions.
That final payload is what BlueVoyant calls A0Backdoor, a memory-resident backdoor that fingerprints the compromised host and then communicates through covert DNS tunneling instead of a more obvious direct connection.
Rather than beaconing straight to attacker infrastructure, the malware sends MX record lookups to public recursive resolvers such as 1.1.1.1, with encoded data hidden in DNS labels and responses.
BlueVoyant said that design helps the traffic blend in and may evade detections focused on TXT-based DNS tunneling or direct outbound command-and-control sessions.
The campaign matters because it shows the same playbook defenders have been tracking since 2024 is still working, but with refreshed tooling and more covert command-and-control.
Microsoft documented the earlier chain as Teams or voice-based impersonation followed by Quick Assist misuse, then deployment of follow-on tools such as QakBot, Cobalt Strike, SystemBC, and eventually Black Basta ransomware.
Trend Micro later reported similar email-bombing, Teams impersonation, and Quick Assist activity in Black Basta and Cactus intrusions, reinforcing the broader pattern BlueVoyant now links to this newer malware cluster.
For defenders, the lesson is clear: treat Microsoft Teams as an initial-access channel, not just a collaboration app. Organizations should restrict or remove Quick Assist where it is not required, monitor for unsolicited external Teams chats, and investigate signed MSI installers or Microsoft-branded binaries appearing in unusual user-writable directories.
BlueVoyant’s latest findings suggest the attackers are not abandoning a successful scam, but quietly refining it to look more legitimate while making their malware far harder to spot.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
