Image: sapannpix/Adobe
Hackers are impersonating IT staff in Microsoft Teams to trick employees into installing malware, giving attackers stealthy access to corporate networks.
Microsoft Teams impersonation and social engineering tactics are being used in an ongoing campaign to deliver a stealthy malware payload known as A0Backdoor.
Researchers at BlueVoyant report that the operation combines social engineering techniques, malicious installers, and covert command-and-control (C2) communications to gain persistent access within targeted networks.
“The malware’s loader exhibits anti-sandbox evasion, and the campaign’s command-and-control appears to have pivoted to a covert DNS mail exchange-based channel that confines endpoint traffic to trusted recursive resolvers,” the researchers said.
The activity appears to primarily target organizations in sectors such as finance and healthcare and closely aligns with tactics previously associated with the threat actor cluster Blitz Brigantine, also tracked as Storm-1811.
This group is linked to ransomware operations such as Black Basta and Cactus and is known for using social engineering to gain initial access before deploying malware or launching follow-on ransomware attacks. In this campaign, attackers first gain access through social engineering, impersonating internal IT personnel.
After convincing victims to grant access — often through remote support tools such as Quick Assist — the attackers deploy malicious MSI installer packages designed to appear as legitimate Teams-related software updates. These installers frequently use names such as Update.msi or UpdateFX.msi and are crafted to blend into normal enterprise workflows.
Once executed, the installers drop files into directories commonly associated with Microsoft services, including locations tied to Teams add-ins or cross-device functionality.
The packages typically include a mix of legitimate Microsoft-signed binaries alongside attacker-controlled DLL files. This combination enables a technique known as DLL sideloading, in which a trusted application loads a malicious library from the same directory, allowing attacker code to execute while appearing to originate from a legitimate Microsoft component.
At the center of the infection chain is a malicious DLL named hostfxr.dll, which impersonates a legitimate Microsoft .NET hosting component. Instead of performing its expected function, this DLL acts as a loader that decrypts and executes hidden malware embedded in the file.
The malicious version is designed to closely resemble the legitimate component in order to evade suspicion while being loaded by a trusted executable.
The loader incorporates several anti-analysis techniques intended to slow or disrupt security investigations.
One example involves repeatedly invoking the Windows CreateThread API to generate a large number of threads. While this behavior has little effect during normal execution, it can overwhelm debugging tools and slow down dynamic analysis, sometimes even causing debugging environments to crash.
The malicious DLL also contains an encrypted payload data embedded in its .data section. During execution, the loader decrypts this data using a custom algorithm that derives its key from the ASCII string crossdeviceservice.exe, which corresponds to the name of the legitimate executable used in the sideloading chain.
Once decrypted, the payload is written to memory and executed as shellcode. This shellcode introduces additional layers of obfuscation and control logic. Many of its strings and functional components remain encrypted until runtime, preventing analysts from identifying its behavior through static analysis.
The shellcode first creates a mutex tied to the executing binary to ensure that only one instance of the malware runs on a system at any given time. The malware also incorporates a time-based execution mechanism. It calculates the current system time and divides it into execution windows lasting roughly 55 hours.
If the malware runs outside the expected time slot, the cryptographic values used to decrypt the payload change, preventing the embedded malware from executing successfully. This technique helps reduce the likelihood that researchers or automated analysis systems will trigger the payload.
In addition, the shellcode attempts to detect sandbox or virtualized environments. It queries system firmware tables and searches for indicators such as QEMU, a virtualization platform used in analysis environments. If such indicators are detected, the malware modifies its key-generation logic, preventing successful payload decryption and effectively hiding its true functionality.
Once these checks are completed, the shellcode decrypts and executes the final payload, A0Backdoor.
The A0Backdoor itself is designed to operate stealthily after execution. Like earlier stages of the infection chain, it decrypts its core functionality only in memory, helping to conceal its behavior from traditional security scanning.
Once active, the backdoor begins fingerprinting the compromised system by collecting identifying information using Windows APIs such as GetComputerNameW, GetUserNameExW, and DeviceIoControl.
This data allows the attackers to uniquely identify infected systems. Instead of establishing direct connections to attacker infrastructure, the malware uses a covert DNS tunneling technique for command-and-control (C2) communication.
The infected host sends specially crafted DNS queries containing encoded system metadata to public DNS resolvers. Those resolvers then query attacker-controlled authoritative DNS servers on behalf of the infected system.
The attackers respond with DNS MX records that contain encoded command data embedded within the hostname field. The malware extracts and decodes this data to receive instructions from the operators.
Because the infected endpoint only communicates with trusted public DNS resolvers rather than directly contacting attacker infrastructure, the activity can blend into normal network traffic. This indirect communication method makes the C2 channel harder for defenders to detect.
Organizations can reduce the risk from these campaigns by strengthening security controls across endpoints, collaboration platforms, and network monitoring.
Together, these measures help organizations strengthen operational resilience, detect suspicious activity earlier, and limit the potential blast radius if an attacker gains access.
This article originally appeared on our sister website, eSecurityPlanet.
Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.
