Blitz Brigantine Weaponizes Email Bombing and DNS MX Records to Deploy AOBackdoor

Cybersecurity experts at BlueVoyant have uncovered a sophisticated evolution in the tactics of the threat group known as Blitz Brigantine (also tracked as Storm-1811). Traditionally linked to Black Basta ransomware affiliates, the group has refreshed its arsenal with a custom backdoor and a clever communication method that bypasses traditional network monitoring.

The attack sequence is as psychological as it is technical. It begins with “email bombing”—flooding a target’s inbox with thousands of spam messages to create a sense of crisis.

Once the victim is overwhelmed, the attacker reaches out via Microsoft Teams, posing as internal IT support. They offer to “fix” the spam issue and request remote access via the built-in Windows Quick Assist application. This allows them to bypass security perimeters by simply being invited in by the user.

“These traits mirror a threat group… Blitz Brigantine… and their Black Basta-linked social-engineering playbook while showing an ongoing tooling refresh designed to blend into enterprise infrastructure,” the report explains.

Once access is granted, the group delivers malicious MSI packages—often masquerading as legitimate Teams or CrossDevice service updates. These installers use a technique called DLL sideloading, where a legitimate Microsoft application is tricked into loading a malicious library, such as hostfxr.dll.

Researchers found that the malware is built to frustrate defenders:

• Anti-Analysis: The loader uses “numerous calls to junk functions” and excessive thread creation to crash or overwhelm debuggers.
• Time-Gating: The shellcode computes a “timeslot” based on Unix time. If executed outside a specific 55-hour window, the decryption key changes, and the payload fails to load.
• Hidden Characters: The malware even checks the command line for a non-breaking space (U+00A0), a character that looks like a normal space but is used as a critical piece of the decryption key.

The final payload, dubbed AOBackdoor, introduces a novel command-and-control (C2) mechanism. Instead of connecting directly to the attacker’s server, it uses DNS Tunneling via MX (Mail Exchange) records.

By issuing DNS queries to trusted public resolvers like 1.1.1.1 or 8.8.8.8, the malware hides its traffic in plain sight. The commands are embedded in the subdomains of the queries, allowing the attackers to “craft MX responses whose ‘exchange’ hostnames embed command data”.

“Using DNS MX records helps the traffic blend in and can evade controls tuned to detect TXT-based DNS tunnelling, which may be more commonly monitored”, the report notes.

BlueVoyant’s investigation highlights that the finance and health sectors remain primary targets. The group has been active with this new toolkit since at least August 2025, constantly rotating code-signing certificates to maintain an air of legitimacy.

As the researchers conclude: “The activity cluster has introduced the A0Backdoor payload and shifted to a covert DNS MX-based C2 channel that confines endpoint traffic to trusted recursive resolvers”.