A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2
Malware Activity
Summary
Hide ▲
Show ▼
The A0Backdoor malware was deployed on Windows endpoints through digitally signed MSI installers and DLL sideloading, giving the operators a stealthier path to execute code and hide command traffic. It uses sandbox detection and host fingerprinting before reaching out through DNS MX-based C2. That matters because the blend of trusted Microsoft components, in-memory execution, and DNS camouflage can make the malware harder to spot and block.
Related Happenings
Node-ipc malicious versions with stealer/backdoor payload
Malware Activity
First: 14.05.2026 20:22
Last: 14.05.2026 20:22
Sources 1
About this happening:
Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Node-ipc malicious versions with stealer/backdoor payload
Malware ActivityAbout this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
DRILLAPP JavaScript backdoor through Microsoft Edge
Malware Activity
First: 16.03.2026 11:07
Last: 16.03.2026 11:07
Sources 1
About this happening:
Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...
DRILLAPP JavaScript backdoor through Microsoft Edge
Malware ActivityAbout this happening: Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...
Storm-2561 SEO-poisoning VPN credential-theft campaign
Campaign
First: 13.03.2026 15:38
Last: 13.03.2026 15:38
Sources 1
About this happening:
The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Storm-2561 SEO-poisoning VPN credential-theft campaign
CampaignAbout this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Storm-2561 fake enterprise VPN Hyrax infostealer activity
Malware Activity
First: 13.03.2026 15:23
Last: 13.03.2026 15:23
Sources 1
About this happening:
A fake enterprise VPN installer is now delivering **Hyrax infostealer** components that steal **VPN credentials** and maintain persistence on **Windows** systems. The operation ma...
Storm-2561 fake enterprise VPN Hyrax infostealer activity
Malware ActivityAbout this happening: A fake enterprise VPN installer is now delivering **Hyrax infostealer** components that steal **VPN credentials** and maintain persistence on **Windows** systems. The operation ma...
BlackSanta EDR killer malware activity targeting HR departments
Malware Activity
First: 11.03.2026 00:57
Last: 11.03.2026 00:57
Sources 1
About this happening:
The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...
BlackSanta EDR killer malware activity targeting HR departments
Malware ActivityAbout this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...
Timeline
-
10.03.2026 00:50 2 articles · 2mo ago
A0Backdoor campaign disclosed
Initial DisclosureThreat actors targeted employees at financial and healthcare organizations by flooding inboxes with spam, then contacting them over Microsoft Teams as apparent IT staff and persuading them to start Quick Assist remote sessions so they could deploy A0Backdoor through digitally signed MSI installers, DLL sideloading with hostfxr.dll, and DNS MX-based command-and-control. BlueVoyant identified two targets as a financial institution in Canada and a global healthcare organization, and assessed the activity as an evolution of BlackBasta TTPs with new use of signed MSIs, malicious DLLs, A0Backdoor, and DNS MX traffic.
Show sources
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50