Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportA sophisticated social-engineering campaign is targeting financial and healthcare organizations by abusing trust in internal IT support channels and Microsoft Teams collaboration platform. First detected in August 2025, attackers flood victims with spam emails before contacting them on Microsoft Teams while posing as helpdesk staff, convincing them to grant remote access through Windows Quick Assist, a legitimate built-in remote support tool. The attackers then deploy a signed installer that abuses DLL sideloading to deliver A0Backdoor malware, demonstrating how attackers increasingly leverage trusted tools to quietly infiltrate enterprise environments.
The A0Backdoor campaign primarily focuses on high-value personnel such as executives, senior managers, finance teams, legal staff, and other employees with access to sensitive corporate data within financial services and healthcare sectors. The operation begins with an email bombing phase, where the victim’s inbox is flooded with harmless spam messages to create confusion and disrupt normal communication, providing cover for the subsequent Microsoft Teams-based social engineering attack.
Once Windows Quick Assist access is granted, attackers deploy malicious MSI installer packages hosted on Microsoft personal cloud storage using tokenized download links. These A0Backdoor installers are digitally signed with publicly trusted certificates (including certificates issued to MULTIMEDIOS CORDILLERANOS SRL) and employ DLL sideloading techniques where a legitimate executable, CrossDeviceService, unknowingly loads a malicious hostfxr.dll library. The A0Backdoor payload uses covert DNS tunneling, sending DNS MX queries containing encoded metadata to public resolvers like 1.1.1.1 and 8.8.8.8, allowing attackers to maintain persistent and stealthy control over compromised systems while blending in with normal network traffic.
Threat actors behind the A0Backdoor campaign have been approaching employees at financial and healthcare organizations through Microsoft Teams, posing as internal IT support to trick them into granting remote access via Windows Quick Assist. The A0Backdoor deception ultimately leads to the deployment of newly identified A0Backdoor malware. The campaign typically begins with an email bombing phase, where the victim’s inbox is flooded with a large number of harmless spam messages to create confusion and disrupt normal communication.
Taking advantage of the chaos created by email bombing, the A0Backdoor attackers quickly contact the target through Microsoft Teams, offering to help resolve the email issue they themselves triggered. The A0Backdoor operation primarily focuses on high-value personnel such as executives, senior managers, finance teams, legal staff, and other employees with access to sensitive corporate data.
During the Microsoft Teams interaction, victims are persuaded to launch Windows Quick Assist, a legitimate built-in remote support tool that allows screen sharing and device control. Once access is granted through Quick Assist, A0Backdoor attackers deploy malicious MSI installer packages hosted on Microsoft personal cloud storage using tokenized download links. These A0Backdoor installers are created using Advanced Installer and disguised to resemble legitimate Microsoft components.
To appear trustworthy, the MSI files distributing A0Backdoor are digitally signed with publicly trusted certificates, including one issued to MULTIMEDIOS CORDILLERANOS SRL, which appear to rotate periodically, likely to avoid revocation or detection by security controls.
Inside the A0Backdoor installer, most bundled DLL files retain legitimate Microsoft signatures, helping the package look authentic. However, one key component—hostfxr.dll, a .NET hosting library normally signed by Microsoft—has been replaced with a malicious version signed with the same non-Microsoft certificate as the installer. This enables a DLL sideloading technique in which a legitimate executable, CrossDeviceService, unknowingly loads the malicious library during execution.
The malicious A0Backdoor DLL contains encrypted payload data and employs several anti-analysis techniques, including excessive thread creation through the CreateThread API to disrupt debugging environments. After performing sandbox and timing checks, the A0Backdoor shellcode decrypts and launches the final payload.
Once active, A0Backdoor moves its code into a new memory region and decrypts its internal routines, including its command-and-control configuration. The malware then gathers system and user details using Windows APIs. For command-and-control communication, the A0Backdoor malware relies on a covert DNS tunneling technique, sending DNS MX queries containing encoded metadata within subdomains to trusted public resolvers like 1.1.1.1 and 8.8.8.8.
By embedding commands within DNS requests, the A0Backdoor malware can quietly receive instructions while blending in with normal network traffic, allowing attackers to maintain persistent and stealthy control over compromised systems. These A0Backdoor traits closely resemble the activity patterns of Blitz Brigantine (Storm-1811 / STAC5777) and align with the Black Basta social-engineering playbook, while suggesting the group continues to refresh its tooling to better evade enterprise security defenses.
Disable Windows Quick Assist enterprise-wide where it is not operationally required. Where Quick Assist must remain available, enforce policies that restrict who can initiate and accept remote sessions, and log all Quick Assist connection events for SOC monitoring to detect A0Backdoor attack patterns.
Deploy immediate and targeted training emphasizing that the IT helpdesk will never initiate unsolicited contact via Microsoft Teams. Mandate that employees verify any unexpected IT contact through a secondary, pre-established channel such as a known helpdesk phone number before granting any form of remote access that could enable A0Backdoor deployment.
Deploy detection rules for unusually high volumes of DNS MX queries from endpoints, particularly those directed to public recursive resolvers (1.1.1.1, 8.8.8.8) with high-entropy subdomains. Standard workstations rarely generate MX record lookups; any such activity should trigger an alert for investigation as potential A0Backdoor command-and-control traffic.
Create detection logic for CrossDeviceService.exe or similar legitimate Microsoft binaries loading DLLs (particularly hostfxr.dll) that are not signed by Microsoft. Hash-based or certificate-based validation of loaded libraries can identify A0Backdoor sideloading attempts in real time.
Implement policies that validate code-signing certificate chains before allowing MSI or DLL execution. Alert on execution of binaries signed with recently revoked certificates, as the A0Backdoor campaign relies on timestamped signatures that preserve trust even after revocation.
Segment networks to limit lateral movement following an initial compromise through remote access tools like Windows Quick Assist. Enforce least-privilege access and require multi-factor authentication for privileged actions, reducing the impact of compromised senior-level accounts targeted in A0Backdoor campaigns.
Initial Access:
Execution:
Persistence:
Defense Evasion:
Discovery:
Command and Control:
Resource Development:
Impact:
SHA256:
Domains:
Get through updates and upcoming events, and more directly in your inbox