Find notable cyber news and cases, enriched with sources, timelines, and signals.

A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The A0Backdoor malware was deployed on Windows endpoints through digitally signed MSI installers and DLL sideloading, giving the operators a stealthier path to execute code and hide command traffic. It uses sandbox detection and host fingerprinting before reaching out through DNS MX-based C2. That matters because the blend of trusted Microsoft components, in-memory execution, and DNS camouflage can make the malware harder to spot and block.

Related Happenings

AI-assisted EDR-evasion malware development lab

Malware Activity
H score12 First: 02.06.2026 14:00 Last: 02.06.2026 14:00 Sources 1

About this happening: A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...

Node-ipc malicious versions with stealer/backdoor payload

Malware Activity
H score34 First: 14.05.2026 20:22 Last: 14.05.2026 20:22 Sources 1

About this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...

DRILLAPP JavaScript backdoor through Microsoft Edge

Malware Activity
H score24 First: 16.03.2026 11:07 Last: 16.03.2026 11:07 Sources 1

About this happening: Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...

Storm-2561 SEO-poisoning VPN credential-theft campaign

Campaign
H score37 First: 13.03.2026 15:38 Last: 13.03.2026 15:38 Sources 1

About this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...

Storm-2561 fake enterprise VPN Hyrax infostealer activity

Malware Activity
H score29 First: 13.03.2026 15:23 Last: 13.03.2026 15:23 Sources 1

About this happening: A fake enterprise VPN installer is now delivering **Hyrax infostealer** components that steal **VPN credentials** and maintain persistence on **Windows** systems. The operation ma...

Timeline

  1. 10.03.2026 00:50 2 articles · 4mo ago

    A0Backdoor campaign disclosed

    Initial Disclosure

    Threat actors targeted employees at financial and healthcare organizations by flooding inboxes with spam, then contacting them over Microsoft Teams as apparent IT staff and persuading them to start Quick Assist remote sessions so they could deploy A0Backdoor through digitally signed MSI installers, DLL sideloading with hostfxr.dll, and DNS MX-based command-and-control. BlueVoyant identified two targets as a financial institution in Canada and a global healthcare organization, and assessed the activity as an evolution of BlackBasta TTPs with new use of signed MSIs, malicious DLLs, A0Backdoor, and DNS MX traffic.

    Show sources