Skip to main content
Mallory
Back to threat actors
2 malware families

Blitz Brigantine

Also known asblitz_brigantine

Blitz Brigantine, also tracked as Storm-1811 and STAC5777, is a financially motivated threat cluster linked to Black Basta and Cactus ransomware operations. Reporting in the provided content describes it as a ransomware affiliate and notes Microsoft has linked Storm-1811 to Black Basta activity. The group has targeted finance and healthcare organizations, including victims across the United States, United Kingdom, Germany, Canada, Australia, France, Japan, South Korea, Singapore, and Switzerland. The group is described as using social engineering for initial access, notably email bombing followed by Microsoft Teams messages or vishing while impersonating internal IT or help desk staff. Victims are persuaded to launch Windows Quick Assist, giving the operators remote access. After access is obtained, the actors deploy trojanized MSI installers masquerading as Microsoft software such as Teams-related updates or Cross Device Add-in packages, sometimes hosted on personal Microsoft cloud storage. The installers drop legitimate Microsoft binaries together with malicious DLLs and abuse DLL sideloading, including replacement of hostfxr.dll and in some cases clipsp.dll. The malicious DLL acts as a loader for A0Backdoor, a memory-resident backdoor used for host fingerprinting, information theft, persistence, reconnaissance, and follow-on intrusion activity that can precede ransomware deployment. Reported anti-analysis features include QEMU and sandbox checks, IsDebuggerPresent checks, heavy junk thread creation, runtime-only decryption, and a roughly 55-hour execution window tied to payload decryption. The malware has also been reported to require a hidden trailing space character in a command line prompt to derive the correct decryption key. A0Backdoor uses covert DNS tunneling for command and control, including MX-style DNS queries sent through trusted public resolvers such as 1.1.1.1 and 8.8.8.8, with encoded victim metadata and command data embedded in DNS labels and responses. One reported C2 domain was fsdgh[.]com. The content describes this activity as an evolution from older ransomware-focused tradecraft toward more customized and stealth-focused intrusions.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Financial Services
  • Health Care Equipment & Services
MITRE ATT&CK

Tradecraft

25 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics39 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.003×4
Spearphishing via Service
TA0002
Execution
2 techniques
T1204
User Execution
T1204.002
Malicious File
T1574
Hijack Execution Flow
T1574.001×2
DLL
TA0004
Privilege Escalation
1 technique
T1055
Process Injection
TA0005
Stealth
8 techniques
T1027×2
Obfuscated Files or Information
T1036×4
Masquerading
T1036.005
Match Legitimate Resource Name or Location
T1055
Process Injection
T1140
Deobfuscate/Decode Files or Information
T1218
System Binary Proxy Execution
T1218.007
Msiexec
T1497×3
Virtualization/Sandbox Evasion
T1497.001×2
System Checks
T1497.003
Time Based Checks
T1574
Hijack Execution Flow
T1574.001×2
DLL
T1622×2
Debugger Evasion
TA0112
Defense Impairment
1 technique
T1553
Subvert Trust Controls
T1553.002×3
Code Signing
TA0007
Discovery
6 techniques
T1033
System Owner/User Discovery
T1057
Process Discovery
T1082
System Information Discovery
T1497×3
Virtualization/Sandbox Evasion
T1497.001×2
System Checks
T1497.003
Time Based Checks
T1614
System Location Discovery
T1614.001
System Language Discovery
T1622×2
Debugger Evasion
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.007
Cloud Services
TA0011
Command and Control
5 techniques
T1071
Application Layer Protocol
T1071.004×4
DNS
T1105
Ingress Tool Transfer
T1219×2
Remote Access Tools
T1568×2
Dynamic Resolution
T1572
Protocol Tunneling
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
A0BackdoorOnce the initial checks pass, the malware drops the A0Backdoor into the computer’s memory. This backdoor is designed to steal information and maintain long-term access to the infected system.5May 26, 2026
Black Basta"...a financially motivated cluster Microsoft has linked to Black Basta ransomware operations."; "...eventually Black Basta ransomware."1Mar 10, 2026
IOCS

Observables

14 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

14 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
breakglass intelNews
Mar 12, 2026
Storm-1811 Signed Nine Times: An EV Code Signing Certificate, DNS MX Tunneling, and a Ransomware Precursor Built in Four Iterations - Breakglass Intelligence - Breakglass Intelligence

Ransomware affiliate activity using the A0Backdoor family as a precursor for intrusion, persistence, reconnaissance, lateral movement, and eventual Black Basta or Cactus ransomware deployment. The campaign uses Teams vishing, Quick Assist abuse, trojanized MSI installers, DLL sideloading, and DNS MX tunneling for covert C2.

Read more
techrepublic com securityNews
Mar 10, 2026
Hackers Pose as IT Staff in Microsoft Teams to Install Malware

Social-engineering-led initial access (Microsoft Teams impersonation / fake internal IT support) followed by deployment of malicious MSI installers and DLL sideloading to load a multi-stage payload culminating in A0Backdoor; historically linked in the article to follow-on ransomware operations.

Read more
gbhackersNews
Mar 10, 2026
Hackers Use Microsoft Teams to Manipulate Employees Into Allowing Remote Access

Conducting social-engineering intrusions against finance and healthcare employees by impersonating internal IT support, using email bombing and Microsoft Teams to obtain Quick Assist remote access, then deploying a stealthy loader and A0Backdoor for persistence and information theft.

Read more
cyber security newsNews
Mar 10, 2026
Hackers Attack Employees Over Microsoft Teams to Trick Them Into Granting Remote Access

Financially motivated intrusion cluster using Microsoft Teams impersonation and Windows Quick Assist social engineering to gain remote access, then deploying signed MSI-based loaders/backdoors and (in prior documented chains) follow-on tooling leading to ransomware deployment.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping25

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables14

Domains, IPs, and hashes tied to this actor, refreshed continuously.