{ "Event": { "analysis": "1", "date": "2026-03-06", "extends_uuid": "", "info": "[Threat Intel] New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering", "protected": false, "publish_timestamp": "1773274419", "published": true, "threat_level_id": "3", "timestamp": "1773274418", "uuid": "a9ffe4df-5cf4-4122-a7c1-dc348c7421b7", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#1faf16", "local": false, "name": "misp-galaxy:target-information=\"Canada\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#6e31dc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Code Signing - T1116\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#110e53", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DNS - T1071.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Debugger Evasion - T1622\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Bombing - T1667\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Embedded Payloads - T1027.009\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Environmental Keying - T1480.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#5884a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\"", "relationship_type": "" }, { "colour": "#177374", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Encoding - T1132.002\"", "relationship_type": "" }, { "colour": "#657ac3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Protocol Tunneling - T1572\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773054007", "to_ids": false, "type": "link", "uuid": "4db38332-5944-43b1-9091-400410dd4730", "value": "https://www.bluevoyant.com/blog/new-a0backdoor-linked-to-teams-impersonation-and-quick-assist-social-engineering", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773054007", "to_ids": false, "type": "text", "uuid": "38bc3218-e3e2-499d-9349-a67b05f83b7c", "value": "A new backdoor, dubbed A0Backdoor, has been discovered in connection with a campaign using email bombing and IT-support impersonation over Microsoft Teams to gain Quick Assist access. The malware's loader exhibits anti-sandbox evasion techniques, and the campaign's command-and-control has shifted to a covert DNS mail exchange-based channel. This activity is attributed to the threat group Blitz Brigantine, also known as Storm-1811 or STAC5777, and shows similarities to Black Basta-linked social-engineering tactics. The attackers use digitally signed MSI packages, often hosted on Microsoft cloud storage, to deliver their proprietary tooling. The A0Backdoor employs sophisticated techniques such as time-based execution windows, runtime decryption, and DNS tunneling for covert communication. The campaign has been active since August 2025, targeting primarily the finance and health sectors." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773054007", "to_ids": false, "type": "text", "uuid": "074b2f6f-5301-4602-85d6-2ab0933ee730", "value": "Name: New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering\nAuthor: AlienVault\nAdversary: Blitz Brigantine\nTags: [\"social engineering\", \"a0backdoor\", \"teams impersonation\", \"dns tunneling\", \"sideloading\", \"email bombing\"]\nTgtd countries: [\"Canada\"]\nMlwr families: [\"A0Backdoor\"]\nAttack_ids: []\nIndustries: [\"Finance\", \"Healthcare\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773054007", "to_ids": false, "type": "threat-actor", "uuid": "dfb430b6-6d3d-4fe6-9157-b4a2a2931187", "value": "Blitz Brigantine" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773246108", "to_ids": true, "type": "domain", "uuid": "cf281ed9-3a79-49c2-a4e0-cb6d372ed2b1", "value": "fsdgh.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773246130", "to_ids": true, "type": "hostname", "uuid": "91261def-492b-4be9-a576-f427d957553e", "value": "my.microsoftpersonalcontent.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773246151", "uuid": "ebc32895-ab16-4bcf-a343-3af41c1cda05", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773246151", "to_ids": true, "type": "md5", "uuid": "2b9ba8cf-b9a6-4f45-96ff-af8d71618520", "value": "7f54f87b7da0e7e0b868d1df07b0d949", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773246104", "to_ids": true, "type": "sha1", "uuid": "be704fcc-6fc1-42c7-8041-6cfcc040f92b", "value": "f4befca298acd26f5048b18ebc9ee21e167cbdc5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773246104", "to_ids": true, "type": "sha256", "uuid": "cf126b06-e11b-491b-aabd-a57c13179864", "value": "0c99481dcacda99014e1eeef2e12de3db44b5db9879ce33204d3c65469e969ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773246053", "to_ids": true, "type": "ssdeep", "uuid": "9ce25202-9ac1-45c3-8bd3-234277821bb7", "value": "49152:+2SX7jizoL5laI3x/Bkpu7X5hZ0LH7WKnaaaqT8vWVNY6OoNUX+q5kk:S0+VzZ0+K2qTAPrSk" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773246053", "to_ids": false, "type": "size-in-bytes", "uuid": "f46e62b5-6b96-46f2-987b-c780b52a6e29", "value": "3056640" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773246053", "to_ids": true, "type": "vhash", "uuid": "40c0a0d1-e3ad-4095-bc7e-455d6c27179d", "value": "5a7a35a5c3eee9b2bb555179fad88156" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773246053", "to_ids": true, "type": "filename", "uuid": "48b6c114-6e1a-46af-b7f1-de10feb88d91", "value": "0c99481dcacda99014e1eeef2e12de3db44b5db9879ce33204d3c65469e969ff.msi" }, { "category": "Other", "comment": "Checked: 12/03/2026\nLast-scan\t: 11/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773246053", "to_ids": false, "type": "text", "uuid": "af049c40-74c8-406c-8846-38a9943dde1a", "value": "Type Descriptio%WINDIR%\\Installer\nMicrosoft: Trojan:Win32/Etset!rfn\nVT Total Detection:30/62\nFirst Submission:2025-12-23T16:42:16.000000+00:00\nLast Submission:2026-03-10T11:05:43.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773246172", "uuid": "91aa9f1e-b107-4811-95dc-4af96d88a5f7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773246172", "to_ids": true, "type": "md5", "uuid": "7045bb77-f4d9-452d-89fd-9417577226d9", "value": "53c59025a7d123634803a6763b924dd5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773246105", "to_ids": true, "type": "sha1", "uuid": "9f200eff-5b2c-423f-b540-6cecaa1759a3", "value": "d0333c48d32ee97569668f7a3aab073aa82e9657", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773246105", "to_ids": true, "type": "sha256", "uuid": "3f158afa-32f4-48e9-bb5a-e7634748b3f5", "value": "26db06a2319c09918225e59c404448d92fe31262834d70090e941093e6bb650a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773246075", "to_ids": true, "type": "ssdeep", "uuid": "695c0526-acbd-4d82-91da-ab7c3253a302", "value": "49152:aWa+Lt0gaDp3EXA0Y6VNbvt/A2aeK8cXHla6Ou71+iQ5ef:wAa2cEF+eKnQqz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773246075", "to_ids": false, "type": "size-in-bytes", "uuid": "38ed1c87-48ff-434b-b631-c3662118698e", "value": "2213960" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773246075", "to_ids": true, "type": "vhash", "uuid": "df90ebdc-d2a1-4188-ab25-48a11368b089", "value": "126066657d1555155az54nz4dz12" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773246075", "to_ids": true, "type": "filename", "uuid": "5071b0dc-e0ef-486d-b4aa-f847490b5ad8", "value": ".NET Host Resolver -" }, { "category": "Other", "comment": "Checked: 12/03/2026\nLast-scan\t: 11/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773246075", "to_ids": false, "type": "text", "uuid": "272cc51b-01fd-4e18-903f-3e659d56b4dd", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Kepavll!rfn\nVT Total Detection:34/72\nFirst Submission:2025-12-23T16:43:00.000000+00:00\nLast Submission:2026-03-10T10:58:40.000000+00:00" } ] } ] } }