Attackers Impersonate IT Support on Microsoft Teams to Deploy A0Backdoor Malware

A new cyberattack campaign has targeted employees at financial and healthcare organizations by abusing Microsoft Teams and Windows Quick Assist to gain remote access to corporate systems. Researchers say attackers used social engineering and disguised malware installers to deploy a stealthy backdoor.

Security researchers at BlueVoyant reported that the attackers impersonated internal IT support staff and tricked victims into giving remote access to their computers.

Attackers Impersonate IT Support on Teams to Deploy Malware

According to BlueVoyant, attackers first flooded employees with spam emails. Shortly afterward, they contacted the same victims through Microsoft Teams while pretending to be IT support personnel offering assistance.

The attackers then instructed victims to start a remote session using Windows Quick Assist. Once the session began, the threat actors obtained full remote control of the victim’s machine.

Quick Assist is a legitimate Windows tool designed to allow remote troubleshooting. In this campaign, however, it served as the main entry point for attackers to install malware on compromised systems.

Malware disguised as Microsoft components

After gaining access, the attackers deployed malware known as A0Backdoor using digitally signed MSI installers. The malicious installers were hosted on a personal Microsoft cloud storage account to make them appear legitimate.

These installers were designed to masquerade as Microsoft Teams components and CrossDeviceService, a legitimate Windows tool used by the Phone Link application.

The attackers relied on a technique known as DLL sideloading. A legitimate Microsoft binary loads a malicious library named hostfxr.dll, which contains compressed or encrypted payload data.

When executed, the malicious DLL decrypts the payload into shellcode and runs it directly in memory. It also uses the CreateThread API to make debugging and malware analysis more difficult.

Encrypted payload and sandbox detection

Before activating fully, the malware performs sandbox detection to determine whether it is running inside a security analysis environment.

If the system appears legitimate, the malware generates a SHA-256-derived key that decrypts the A0Backdoor payload using AES encryption. The malware then relocates itself to a new memory region and decrypts its core components.

The backdoor also collects system information using several Windows API calls, including DeviceIoControl, GetUserNameExW, and GetComputerNameW.

This information allows attackers to fingerprint the infected machine.

Command and control hidden in DNS traffic

Communication with the attacker infrastructure is hidden inside DNS traffic.

The malware sends DNS MX queries with encoded data embedded in high-entropy subdomains. The DNS responses include MX records that contain encoded command instructions.

This approach allows the communication to blend in with normal DNS activity and makes the malicious traffic harder to detect.

Researchers confirmed two organizations targeted in the campaign. One victim was a financial institution in Canada, while another was a global healthcare organization.

BlueVoyant researchers believe the campaign may be linked to tactics previously used by the BlackBasta ransomware group, which was widely believed to have disbanded.

Attackers increasingly abuse legitimate services

The campaign highlights a growing trend in cyberattacks where threat actors abuse legitimate software tools and trusted infrastructure instead of relying on obvious malware downloads.

Security researchers have recently observed attackers using legitimate certificates to distribute malware. Other campaigns have also abused search platforms, including Bing AI results, to distribute fake installers such as malicious OpenClaw downloads. This is not the only development, as threat actors have also been seen selling Remote Desktop exploits online.

Researchers recommend that organizations train employees to verify support requests received through messaging platforms and carefully review any request to start a remote support session.

Via Bleeping Computer