BlackBasta-Linked Actors Deploy New A0Backdoor via Microsoft Teams Social Engineering With DNS MX-Based C2

Threat actors linked to the dissolved BlackBasta ransomware operation are targeting employees at financial and healthcare organizations through Microsoft Teams social engineering to deploy a previously undocumented backdoor called A0Backdoor that hides its command-and-control communications inside DNS MX record queries.

The campaign, disclosed by BlueVoyant, has confirmed targets including a Canadian financial institution and a global healthcare organization. BlueVoyant assesses with moderate-to-high confidence that the activity represents an evolution of BlackBasta's tactics following the leak of the group's internal chat logs.

Social Engineering via Teams + Quick Assist

The attack begins with a deliberate two-stage social engineering approach:

1. Email bombing — the attacker floods the target employee's inbox with spam
2. Teams impersonation — the attacker contacts the victim over Microsoft Teams posing as internal IT staff, offering to help resolve the spam problem
3. Quick Assist session — the victim is instructed to start a Quick Assist remote access session, granting the attacker direct control of their machine

Once connected, the attacker deploys malicious tooling hosted in a personal Microsoft cloud storage account — digitally signed MSI installers masquerading as Microsoft Teams components and CrossDeviceService, a legitimate Windows tool used by the Phone Link app.

DLL Sideloading and Multi-Stage Decryption

The infection chain uses legitimate Microsoft binaries to sideload a malicious library (hostfxr.dll) containing compressed or encrypted data:

1. DLL sideloading via signed Microsoft binaries loads the malicious hostfxr.dll
2. In-memory decryption converts the library's payload into shellcode
3. Anti-analysis — excessive thread creation via CreateThread designed to crash debuggers without impacting normal execution
4. Sandbox detection — the shellcode checks for analysis environments before proceeding
5. AES decryption — a SHA-256-derived key extracts the A0Backdoor from the encrypted payload
6. Self-relocation — the malware moves itself to a new memory region and decrypts its core routines

A0Backdoor: DNS MX Records as C2 Channel

The most notable capability is A0Backdoor's C2 communication method. Rather than using conventional HTTP/HTTPS callbacks or the more commonly monitored DNS TXT record tunneling, the malware encodes metadata into high-entropy subdomains of DNS MX queries sent to public recursive resolvers.

The DNS servers respond with MX records containing encoded command data. The malware extracts and decodes the leftmost label to recover commands and configuration, then executes accordingly.

This approach offers two evasion advantages: MX record traffic blends into normal email infrastructure DNS activity, and security tools tuned to detect TXT-based DNS tunneling will miss it entirely.

The backdoor also fingerprints the host using Windows API calls including DeviceIoControl, GetUserNameExW, and GetComputerNameW to collect system information before establishing C2 communication.

BlackBasta Evolution

While the campaign shares significant tactical overlaps with BlackBasta operations — particularly the Teams-based social engineering and Quick Assist abuse — BlueVoyant notes several new elements that represent an evolution:

• Digitally signed MSI installers hosted in Microsoft cloud storage
• Malicious DLL sideloading through legitimate Microsoft binaries
• A0Backdoor as a previously unseen payload
• DNS MX-based C2 replacing traditional communication channels

The emergence of new tooling following BlackBasta's dissolution suggests that former operators have regrouped and are actively developing upgraded capabilities.

Defender Recommendations

• Restrict external Teams communications — limit inbound Teams messages from outside the organization or flag them with external sender warnings
• Monitor Quick Assist usage — alert on Quick Assist sessions initiated after Teams conversations, particularly from non-IT users
• Detect DNS MX anomalies — flag high-entropy subdomain patterns in DNS MX queries to public resolvers from endpoints that don't manage email infrastructure
• Block unsigned DLL loading — monitor for DLL sideloading through legitimate Microsoft binaries, particularly hostfxr.dll loaded by CrossDeviceService or Teams-related executables
• Audit MSI installations — flag digitally signed MSI files sourced from personal Microsoft cloud storage accounts rather than corporate deployment channels
• Hunt for excessive thread creation — processes spawning anomalous numbers of threads may indicate anti-analysis techniques used by A0Backdoor
• Educate employees on the email bomb + Teams rescue pattern — this specific social engineering sequence is becoming a signature tactic and should be included in security awareness training