A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2
Malware Activity
Summary
Hide ▲
Show ▼
The A0Backdoor malware was deployed on Windows endpoints through digitally signed MSI installers and DLL sideloading, giving the operators a stealthier path to execute code and hide command traffic. It uses sandbox detection and host fingerprinting before reaching out through DNS MX-based C2. That matters because the blend of trusted Microsoft components, in-memory execution, and DNS camouflage can make the malware harder to spot and block.
Related Happenings
AI-assisted EDR-evasion malware development lab
Malware Activity
H score12
First: 02.06.2026 14:00
Last: 02.06.2026 14:00
Sources 1
About this happening:
A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...
AI-assisted EDR-evasion malware development lab
Malware ActivityAbout this happening: A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...
Node-ipc malicious versions with stealer/backdoor payload
Malware Activity
H score34
First: 14.05.2026 20:22
Last: 14.05.2026 20:22
Sources 1
About this happening:
Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Node-ipc malicious versions with stealer/backdoor payload
Malware ActivityAbout this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
DRILLAPP JavaScript backdoor through Microsoft Edge
Malware Activity
H score24
First: 16.03.2026 11:07
Last: 16.03.2026 11:07
Sources 1
About this happening:
Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...
DRILLAPP JavaScript backdoor through Microsoft Edge
Malware ActivityAbout this happening: Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...
Storm-2561 SEO-poisoning VPN credential-theft campaign
Campaign
H score37
First: 13.03.2026 15:38
Last: 13.03.2026 15:38
Sources 1
About this happening:
The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Storm-2561 SEO-poisoning VPN credential-theft campaign
CampaignAbout this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Storm-2561 fake enterprise VPN Hyrax infostealer activity
Malware Activity
H score29
First: 13.03.2026 15:23
Last: 13.03.2026 15:23
Sources 1
About this happening:
A fake enterprise VPN installer is now delivering **Hyrax infostealer** components that steal **VPN credentials** and maintain persistence on **Windows** systems. The operation ma...
Storm-2561 fake enterprise VPN Hyrax infostealer activity
Malware ActivityAbout this happening: A fake enterprise VPN installer is now delivering **Hyrax infostealer** components that steal **VPN credentials** and maintain persistence on **Windows** systems. The operation ma...
Timeline
-
10.03.2026 00:50 2 articles · 4mo ago
A0Backdoor campaign disclosed
Initial DisclosureThreat actors targeted employees at financial and healthcare organizations by flooding inboxes with spam, then contacting them over Microsoft Teams as apparent IT staff and persuading them to start Quick Assist remote sessions so they could deploy A0Backdoor through digitally signed MSI installers, DLL sideloading with hostfxr.dll, and DNS MX-based command-and-control. BlueVoyant identified two targets as a financial institution in Canada and a global healthcare organization, and assessed the activity as an evolution of BlackBasta TTPs with new use of signed MSIs, malicious DLLs, A0Backdoor, and DNS MX traffic.
Show sources
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50