- Attackers Combine Spam Floods with Fake IT Support
- Victims tricked into Quick Assistance sessions implementing A0Backdoor
- Malware allows full account takeover and remote code execution
Experts have warned that cybercriminals are using a new combination of spam and IT support impersonation to deploy malware and take over corporate devices.
Security researchers at BlueVoyant discovered that cybercriminals began their attack by flooding their victims' email inboxes with spam. Not long after, they would contact that victim and claim to be an IT support technician tasked with resolving the spam issue.
They would then ask the victim to start a remote Quick Assist session, through which they would gain temporary access to the target computer. There, under the pretext of “solving the spam problem,” they would implement malware called A0Backdoor.
Article continues below.
Has Negro Basta returned?
Impersonating components of Microsoft Teams and CrossDeviceService, the malware is deployed and activated by downloading DLLs.
The result is full account takeover, giving attackers remote code execution (RCE) capabilities. That means they can execute arbitrary commands in scripts, endlessly download and execute additional malware, freely steal data, move laterally or deeper through the network. Finally, they can maintain long-term persistence and access or turn the device into a relay for future attacks.
Attribution is relatively difficult, so we can't know for sure who is behind the attacks, but according to Cybersecurity newsThe activity “overlaps with tactics previously linked to Blitz Brigantine,” a group also known as Storm-1811. This is a financially motivated threat actor that Microsoft previously linked to Black Basta.
For those with shorter memory spans, Black Basta used to be one of the most notorious ransomware gangs, but the group effectively ceased operations and went silent in early 2025.
So far, the group has attacked two victims: a financial institution in Canada and a global health organization. Names have not yet been shared and the group has not publicly claimed responsibility for the attacks.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
