Attackers combine spam floods with fake IT support

Victims tricked into Quick Assist sessions deploying A0Backdoor

Malware enables full account takeover and remote code execution

Cybercriminals are using a new combination of spam and IT support impersonation to deploy malware and take over corporate devices, experts have warned.

Security researchers at BlueVoyant found cybercriminals would start their attack by flooding their victim’s email inbox with spam. Not long after, they would reach out to that victim, claiming to be an IT support technician tasked with solving the spam problem.

Then, they would ask the victim to start a Quick Assist remote session, through which they temporarily gain access to the target computer. There, under the pretense of “solving the spam problem”, they would deploy a piece of malware called A0Backdoor.

Black Basta is back?

Masquerading as Microsoft Teams components and the CrossDeviceService, the malware is deployed and activated using DLL sideloading.

The result is full account takeover, giving attackers remote code execution (RCE) capabilities. That means they can run arbitrary commands on scripts, download and execute additional malware unabated, steal data freely, move laterally, or deeper, throughout the network. Finally, they can maintain persistence and long-term access or turn the device into a relay for further attacks.

Attribution is relatively difficult, so we can’t know for certain who is behind the attacks, but according to Cybersecurity News, the activity “overlaps with tactics previously tied to Blitz Brigantine”, a group also known as Storm-1811. This is a financially motivated threat actor that Microsoft previously linked to Black Basta.

For those with shorter memory spans, Black Basta used to be one of the most notorious ransomware gangs, but the group effectively ceased operations and went silent in early 2025.

So far, the group hit two victims - a financial institution in Canada and a global healthcare organization. The names have not yet been shared, and the group has not publicly claimed responsibility for the attacks.

Via BleepingComputer

