- Attackers combine spam floods with bogus IT support
- Victims tricked into Quick Assist sessions by implementing A0Backdoor
- Malware enables full account takeover and remote code execution
Cybercriminals are using a new combination of spam and impersonating IT support to deploy malware and take over corporate devices, experts have warned.
Security researchers at BlueVoyant found that cybercriminals would launch their attacks by flooding their victims’ email inboxes with spam. Not long after, they would reach out to the victim and claim to be an IT support technician tasked with solving the spam problem.
Then they would ask the victim to start a Quick Assist remote session through which they would temporarily gain access to the target computer. There, under the guise of “solving the spam problem”, they would deploy a piece of malware called A0Backdoor.
The article continues below
Black Basta is back?
Posing as Microsoft Teams components and CrossDeviceService, the malware is deployed and activated using DLL sideloading.
The result is full account takeover, allowing attackers to perform remote code execution (RCE). This means they can run arbitrary commands on scripts, download and execute additional malware unabated, steal data freely, move laterally or deeper through the network. Finally, they can maintain persistence and long-term access or turn the device into a relay for further attacks.
Attribution is relatively difficult, so we cannot know for sure who is behind the attacks, but according to Cyber Security Newsthe activity “overlaps with tactics previously associated with Blitz Brigantine,” a group also known as Storm-1811. This is a financially motivated threat actor that Microsoft previously linked to Black Basta.
For those with shorter memory spans, Black Basta used to be one of the most notorious ransomware gangs, but the group effectively ceased operations and went silent in early 2025.
So far, the group has hit two victims – a financial institution in Canada and a global health organization. The names have not yet been shared and the group has not publicly claimed responsibility for the attacks.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
