A0Backdoor Malware Deployed via Microsoft Teams Phishing Campaign

First reported

10.03.2026 00:50

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A phishing campaign targeting employees at financial and healthcare organizations uses Microsoft Teams to trick victims into granting remote access via Quick Assist. The attackers deploy a new malware strain called A0Backdoor, which employs sophisticated techniques to evade detection and maintain persistence. The campaign is linked to the BlackBasta ransomware group, but with new TTPs including digitally signed MSI installers and DNS MX-based C2 communication. The attackers use social engineering to gain trust, masquerading as IT staff and instructing victims to initiate a Quick Assist session. Once access is granted, they deploy malicious MSI files that mimic legitimate Microsoft components, using DLL sideloading to execute the A0Backdoor payload. The malware performs sandbox detection, collects host information, and communicates with C2 servers via DNS MX queries.

Timeline

10.03.2026 00:50 1 articles · 13h ago

A0Backdoor Malware Deployed via Microsoft Teams Phishing Campaign
A phishing campaign targeting employees at financial and healthcare organizations uses Microsoft Teams to trick victims into granting remote access via Quick Assist. The attackers deploy a new malware strain called A0Backdoor, which employs sophisticated techniques to evade detection and maintain persistence. The campaign is linked to the BlackBasta ransomware group, but with new TTPs including digitally signed MSI installers and DNS MX-based C2 communication.
Show sources

Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50
Open in new tab

Information Snippets

Attackers use social engineering over Microsoft Teams to gain trust and instruct victims to start a Quick Assist remote session.
First reported: 10.03.2026 00:50

1 source, 1 article
Show sources
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50
Malicious MSI files are hosted in a personal Microsoft cloud storage account and masquerade as legitimate Microsoft Teams components and CrossDeviceService.
First reported: 10.03.2026 00:50

1 source, 1 article
Show sources
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50
The malware uses DLL sideloading with legitimate Microsoft binaries to deploy a malicious library (hostfxr.dll) that decrypts into shellcode.
First reported: 10.03.2026 00:50

1 source, 1 article
Show sources
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50
The shellcode performs sandbox detection and generates a SHA-256-derived key to decrypt the A0Backdoor payload.
First reported: 10.03.2026 00:50

1 source, 1 article
Show sources
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50
A0Backdoor uses Windows API calls to collect host information and communicates with C2 servers via DNS MX queries with encoded metadata.
First reported: 10.03.2026 00:50

1 source, 1 article
Show sources
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50
The campaign targets a financial institution in Canada and a global healthcare organization.
First reported: 10.03.2026 00:50

1 source, 1 article
Show sources
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50
Researchers assess with moderate-to-high confidence that the campaign is an evolution of BlackBasta ransomware group tactics.
First reported: 10.03.2026 00:50

1 source, 1 article
Show sources
- Microsoft Teams phishing targets employees with backdoors — www.bleepingcomputer.com — 10.03.2026 00:50