A0Backdoor
A0Backdoor is a newly identified, memory-resident backdoor used in social-engineering campaigns that abuse Microsoft Teams and Windows Quick Assist to gain remote access to victims. Reporting links the activity to Blitz Brigantine, also tracked as Storm-1811 and STAC5777, a financially motivated cluster associated with the Black Basta ransomware ecosystem and also linked in later reporting to Cactus. Observed targeting has focused on finance and healthcare organizations, including victims in Canada and broader campaigns spanning multiple countries.
The intrusion chain commonly begins with email bombing, followed by Microsoft Teams messages or calls from attackers impersonating internal IT or help desk staff. Victims are persuaded to launch Quick Assist and share access, after which the operators deploy digitally signed MSI installers masquerading as legitimate Microsoft software such as Teams components, Phone Link/CrossDeviceService, or related updates. These installers have been hosted on personal Microsoft cloud storage and use DLL sideloading by placing legitimate Microsoft binaries alongside malicious DLLs, especially a trojanized hostfxr.dll; a second sideloading vector using clipsp.dll has also been reported.
The malicious loader decrypts and executes A0Backdoor in memory and employs multiple anti-analysis and evasion techniques directly described in the reporting: virtualization and sandbox checks including QEMU artifacts, IsDebuggerPresent checks, excessive thread creation intended to disrupt debugging, runtime-only decryption, and a time-based decryption mechanism that only works within an approximately 55-hour window. Some reporting also notes dependence on a hidden trailing space character in command-line input to derive the correct decryption key. Breakglass Intelligence reported encrypted shellcode embedded in trojanized DLLs, use of exported hostfxr_* functions to mimic the legitimate .NET hosting component, and embedded dictionary words to reduce entropy.
Once active, A0Backdoor fingerprints the host and steals system information, including details such as username, computer or device information, using APIs including GetComputerNameW, GetUserNameExW, and DeviceIoControl. Its command-and-control channel uses covert DNS tunneling rather than direct outbound connections. Multiple sources state that it sends encoded victim metadata and receives commands via DNS MX record queries, often through trusted public recursive resolvers such as 1.1.1.1 and 8.8.8.8, with data embedded in high-entropy or long subdomains/labels. This MX-based approach is specifically noted as helping the malware blend with normal traffic and evade detections focused on TXT-record DNS tunneling. One report identified fsdgh[.]com as an attacker-controlled C2 domain used for this channel.
Additional campaign details reported with high confidence include use of digitally signed MSI installers and malicious DLLs, including samples signed with a now-revoked SSL.com Extended Validation certificate issued to MULTIMEDIOS CORDILLERANOS SRL of Argentina. Reported filenames and paths include Update.msi, UpdateFX.msi, and installation into %LocalAppData%\Microsoft\CrossDevice Share\25017.203.3370. Overall, the malware is described as a stealth-focused backdoor used for information theft, persistence, reconnaissance, and as a precursor to broader intrusion activity potentially leading to ransomware deployment.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Five months later in March this year, BlueVoyant published the forensics on a related campaign that drops a previously undocumented payload called A0Backdoor and judged it “an evolution of tactics, techniques and procedures associated with the BlackBasta ransomware gang...”
Once the initial checks pass, the malware drops the A0Backdoor into the computer’s memory. This backdoor is designed to steal information and maintain long-term access to the infected system.
Nine malware samples from the A0Backdoor family surfaced on MalwareBazaar today -- all signed with a now-revoked Extended Validation code signing certificate issued to an Argentinian media company.
A newly identified backdoor called A0Backdoor has emerged as part of a calculated social-engineering campaign that abuses Microsoft Teams and the Windows remote assistance tool Quick Assist.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesOn 4 November last year, an external user signed into a customer environment under the display name “IT Support”... Within twenty-eight minutes they had opened a Quick Assist screen-share session against a target who believed he was speaking to colleagues.
MITRE ATT&CK Mapping Tactic Technique ID Implementation Initial Access Phishing: Spearphishing via Service T1566.003 Microsoft Teams social engineering
Execution
2 techniquesMITRE ATT&CK Mapping Tactic Technique ID Implementation Execution User Execution: Malicious File T1204.002 Update.msi execution via Quick Assist
Stealth
10 techniquesThe malicious code only decrypts itself if it executes within a specific 55-hour time window after delivery... the malware requires a specific invisible Unicode space character appended to a command-line argument to generate the correct decryption key.
the tenants they registered for the operation carried display names so generic that they passed unnoticed: ‘Help Desk’, ‘Help Desk IT’, ‘Help Desk Support’, ‘IT Support’.
MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Masquerading: Match Legitimate Name T1036.005 "Microsoft Cross Device Add-in" branding
the malicious hostfxr.dll sideloads itself into a legitimate process and decrypts A0Backdoor only once it is resident in memory
MITRE ATT&CK Mapping Tactic Technique ID Implementation Execution System Services: Windows Installer T1218.007 MSI CustomAction type 1234 (SYSTEM context)
First, it uses an anti-sandbox trick by checking the computer’s firmware for signs of virtual testing environments like QEMU.
MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Virtualization/Sandbox Evasion T1497.001 QEMU detection, 55-hour time window
“incorporates a time-based execution mechanism… divides it into execution windows lasting roughly 55 hours… outside the expected time slot… preventing… malware from executing successfully.”
Defense Impairment
1 techniqueTo make the files look completely safe, the hackers host them on personal Microsoft cloud storage accounts and sign them with digital certificates.
Discovery
8 techniquesThe backdoor immediately gathers details about the computer, including the username and system device information, so the hackers can easily identify their new victim.
MITRE ATT&CK Mapping Tactic Technique ID Implementation Discovery Process Discovery T1057 Process enumeration
The backdoor immediately gathers details about the computer, including the username and system device information, so the hackers can easily identify their new victim.
First, it uses an anti-sandbox trick by checking the computer’s firmware for signs of virtual testing environments like QEMU.
MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Virtualization/Sandbox Evasion T1497.001 QEMU detection, 55-hour time window
“incorporates a time-based execution mechanism… divides it into execution windows lasting roughly 55 hours… outside the expected time slot… preventing… malware from executing successfully.”
MITRE ATT&CK Mapping Tactic Technique ID Implementation Discovery System Language Discovery T1614.001 Locale checks
Lateral Movement
2 techniquesThe cloud and software giant’s threat intelligence team had already documented the same operators abusing the Quick Assist remote support tool since mid-April that year... Within twenty-eight minutes they had opened a Quick Assist screen-share session against a target
"Approving a Quick Assist remote session would then allow the distribution of malicious MSI files..."
Command and Control
5 techniquesEven command-and-control hides in plain sight: rather than the TXT-record DNS tunnels that mature security operations centers have learned to flag, A0Backdoor encodes its instructions in DNS MX queries.
Data is encoded and hidden inside MX record queries — normally used for email routing
The victim, believing they are talking to company support, grants remote access through Quick Assist, a built-in Windows tool that lets one computer be controlled by another.
The hackers also intentionally use older, previously registered website names rather than creating brand-new ones. This strategy helps them bypass automated security filters that usually block newly registered domains.
MITRE ATT&CK Mapping Tactic Technique ID Implementation Command and Control Protocol Tunneling T1572 Data encoded in DNS subdomain queries
Other
1 techniqueIOCs tracked for this family
15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A previously undocumented backdoor payload delivered in a campaign linked to Storm-1811/BlackBasta tradecraft. It is decrypted in memory after a malicious hostfxr.dll sideloads into a legitimate process, and its command-and-control traffic hides in DNS MX queries.
A0Backdoor is described as a newly observed backdoor/loader delivered via DLL sideloading after attackers gained remote access through Quick Assist. It uses a 55-hour time-based decryption window, requires a hidden Unicode space character in a command-line argument for correct decryption, checks for QEMU/VirtualBox/VMware artifacts to evade sandboxes, spawns junk threads to disrupt debuggers, and communicates with command-and-control infrastructure through DNS tunneling using MX record queries via public resolvers.
Related Articles: Microsoft Teams phishing targets employees with A0Backdoor malware
A0Backdoor is a backdoor delivered via socially engineered Quick Assist sessions and disguised MSI installers. It uses DLL sideloading through a malicious hostfxr.dll, performs anti-analysis checks including debugger disruption and virtual environment detection, fingerprints infected hosts, and communicates with operators via DNS tunneling and DNS MX record queries using high-entropy subdomains.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.