Cybersecurity researchers have uncovered a new backdoor used in a social-engineering campaign targeting enterprise users through Microsoft Teams and Windows Quick Assist.
The activity, tracked by BlueVoyant, appears linked to a threat cluster known as Blitz Brigantine (also tracked as Storm-1811) and associated with the Black Basta ransomware ecosystem.
According to the researchers, attackers begin by flooding employees’ inboxes with large volumes of spam emails. The move aims to confuse and prompt victims to believe their account or mailbox is malfunctioning.
Shortly afterward, the attackers contact the same employees through Microsoft Teams while posing as internal IT support staff. They offer to resolve the issue, asking the victim to grant remote access using Quick Assist, a built-in Windows remote support tool.
Once access is established, the attackers deploy malicious installer packages by making them look like legitimate Microsoft components. These installers place files in directories associated with CrossDeviceService and Teams, allowing the attackers to sideload a malicious dynamic-link library (DLL).
Researchers found the DLL launches a previously undocumented payload they call A0Backdoor, which enables attackers’ persistence to systems.
DNS Tunneling Technique Helps Malware Blend With Legitimate Traffic
The loader used to deploy the backdoor includes various analysis and detection techniques, such as delivering encrypted payloads and excessive thread creation intended to disrupt debugging tools, as well as runtime decryption routines that hide key functionality until the malware executes.
After launching, A0Backdoor collects host information such as device names and user identity details using standard Windows application programming interfaces (APIs). The tactic allows the operators to uniquely fingerprint infected systems before issuing further commands.
The malware then establishes command-and-control (C2) communications using DNS tunneling. Instead of connecting directly to attacker-controlled servers, infected machines send DNS queries to public resolvers such as 1.1.1.1 or 8.8.8.8. These resolvers then retrieve responses from malicious authoritative name servers.
The attackers encode commands in DNS mail exchange (MX), embedding data within domain responses. Because the traffic looks like DNS activity and only communicates with trusted resolvers, it can evade some monitoring tools designed to spot other forms of DNS tunneling.
BlueVoyant says the campaign has been observed since at least Aug. 2025. It has reportedly targeted organizations in finance as well as a global health-aligned organization.
They assess the operation is an evolution of the Blitz Brigantine playbook, combining familiar social-engineering tactics with updated malware designed to blend into enterprise infrastructure and bypass defenses.
