Ethical Hacking News
A new campaign of malware attacks has been discovered, exploiting Microsoft Teams and DNS to deploy ransomware encryption. The attackers used social engineering techniques to trick employees into granting remote access and deploying a new piece of malware called A0Backdoor. The researchers at BlueVoyant assess that the campaign is an evolution of tactics associated with the BlackBasta ransomware gang, which has shifted its strategy towards more subtle methods. To prevent falling victim to this type of attack, it is essential for employees to be vigilant and for organizations to maintain robust security measures.
Hackers used Microsoft Teams phishing to trick employees into granting remote access through Quick Assist. The attackers deployed a new piece of malware called A0Backdoor, which was digitally signed and hosted in a personal Microsoft cloud storage account. The malware masqueraded as legitimate Microsoft components and used DLL sideloading technique with legitimate binaries to evade analysis. The A0Backdoor malware collected information about the host and fingerprinted it using Windows API calls. The malware communicated with a command-and-control (C2) server through DNS MX queries, hiding its traffic in DNS traffic.
Microsoft Teams phishing targets employees with backdoors
By Bill Toulas
March 9, 2026
06:50 PM
0
Hackers contacted employees at financial and healthcare organizations over Microsoft Teams to trick them into granting remote access through Quick Assist and deploy a new piece of malware called A0Backdoor.
The attacker relies on social engineering to gain the employee's trust by first flooding their inbox with spam and then contacting them over Teams, pretending to be the company's IT staff, offering assistance with the unwanted messages.
To obtain access to the target machine, the threat actor instructs the user to start a Quick Assist remote session, which is used to deploy a malicious toolset that includes digitally signed MSI installers hosted in a personal Microsoft cloud storage account.
According to researchers at cybersecurity company BlueVoyant, the malicious MSI files masquerade as Microsoft Teams components and the CrossDeviceService, a legitimate Windows tool used by the Phone Link app.
Using the DLL sideloading technique with legitimate Microsoft binaries, the attacker deploys a malicious library (hostfxr.dll) that contains compressed or encrypted data. Once loaded in memory, the library decrypts the data into shellcode and transfers execution to it.
The researchers say that the malicious library also uses the CreateThread function to prevent analysis. BlueVoyant explains that excessive thread creation could cause a debugger to crash, but it does not have a significant impact under normal execution.
The shellcode performs sandbox detection and then generates a SHA-256-derived key, which it uses to extract the A0Backdoor, which is encrypted using the AES algorithm.
Researchers from BlueVoyant report that the malware relocates itself into a new memory region, decrypts its core routines, and relies on Windows API calls (e.g., DeviceIoControl, GetUserNameExW, and GetComputerNameW) to collect information about the host and fingerprint it.
Communication with the command-and-control (C2) is hidden in DNS traffic, with the malware sending DNS MX queries with encoded metadata in high-entropy subdomains to public recursive resolvers. The DNS servers respond with MX records containing encoded command data.
"The malware extracts and decodes the leftmost label to recover command/configuration data, then proceeds accordingly," explains BlueVoyant.
"Using DNS MX records helps the traffic blend in and can evade controls tuned to detect TXT-based DNS tunneling, which may be more commonly monitored."
BlueVoyant states that two of the targets of this campaign are a financial institution in Canada and a global healthcare organization.
The researchers assess with moderate-to-high confidence that the campaign is an evolution of tactics, techniques and procedures associated with the BlackBasta ransomware gang, which has dissolved after the internal chat logs of the operation were leaked.
While there are plenty of overlaps, BlueVoyant notes that the use of signed MSIs and malicious DLLs, the A0Backdoor payload, and using DNS MX-based C2 communication are new elements.
The BlackBasta ransomware gang was known for its sophisticated tactics, including the use of malware with built-in backdoors to facilitate further exploitation. The recent campaign suggests a shift in the group's strategy, focusing on more subtle methods such as phishing and DNS-based C2 communication.
This new campaign highlights the growing sophistication of malware threats and the need for organizations to maintain robust security measures, including regular software updates, employee training, and monitoring of network activity.
In order to prevent falling victim to this type of attack, it is essential for employees to be vigilant when receiving unsolicited messages or requests over email or team chat platforms. Employees should also avoid granting remote access without verifying the authenticity of the request.
Furthermore, organizations must ensure that their systems are up-to-date with the latest security patches and consider implementing additional security measures such as email filtering, antivirus software, and intrusion detection systems to detect and prevent potential threats.
As the threat landscape continues to evolve, it is crucial for organizations to stay informed about the latest malware campaigns and tactics employed by attackers. By doing so, they can better protect themselves against emerging threats and maintain their digital security posture.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Malware-Campaign-Exploits-Microsoft-Teams-and-DNS-for-Ransomware-Encryption-ehn.shtml
https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-targets-employees-with-backdoors/
https://www.microsoft.com/en-us/security/blog/2025/10/07/disrupting-threats-targeting-microsoft-teams/
https://cyberpress.org/hackers-abuse-microsoft-teams/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a
https://www.wired.com/story/black-basta-ransomware-gang/
Published: Mon Mar 9 18:23:40 2026 by llama3.2 3B Q4_K_M
