Hackers are targeting Windows Quick Assist remote desktop features to deploy ransomware
Remote access tools such as Windows Quick Assist continue to be a key target for threat actors, with Microsoft issuing another warning about the risk of ransomware attacks


Hackers are targeting Windows Quick Assist features as part of a campaign to conduct ransomware attacks, Microsoft has warned in a new threat intelligence report.
Since mid-April 2024, the tech giant has observed the Storm-1811, a financially motivated threat actor, using social engineering tactics to trick users into granting them access to their device through Quick Assist.
Quick Assist is a remote access tool used to share access to Windows devices to troubleshoot technical issues, based on the remote desktop protocol (RDP).
Microsoft’s advisory warned the attack chain begins with an email-bombing attack, where the hackers sign up the target’s email to multiple email subscription services which flood their inbox with subscribed content.
The attackers then target the user with a voice phishing attack (vishing), in which they claim to be IT support from the affected company offering to help them fix their spam issue.
During the call, threat actors try to manipulate the victim into giving them access to their device through Quick Assist. Microsoft warned that the victim only needs to follow a few of the attacker’s instructions before they can execute code on the target device.
First the threat actor gets the user to open Quick Assist with the CTRL + Windows + Q keyboard shortcut, after which they are prompted to enter a security code provided by the attacker.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The user is then shown a dialog box asking for permission to share their screen, once accepted the threat actor can request control through the Quick Assist system.
If control is granted, the attacker gets to work deploying various malware strains to escalate their privileges on the system.
The attacker runs a script to download a batch of files, including remote monitoring and management tools (RMM) as well as the Qakbot malware, which is used to deliver other malicious payloads such as Cobalt strike.
After installing the initial tooling required for the attack, the threat actor can simply terminate the call and use the command line tool PsExec to deploy the Black Basta ransomware.
Black Basta is described as a ‘closed ransomware offering’, in contrast to frequently deployed ransomware as a service (RaaS) tool, and is distributed by a small number of threat actors.
Microsoft’s report noted the link between Black Basta ransomware attacks and the use of the Qakbot remote access trojan (RAT), advising organizations to look out for evidence of the malware in order to catch an attack in its early stages, before any ransomware is deployed.
“Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after receiving access from Qakbot and other malware distributors, highlighting the need for organizations to focus on attack stages prior to ransomware deployment to reduce the threat.”
In addition to exploiting Quick Assist to gain initial access, the attack chain leverages other RMM tools such as ScreenConnect and NetSupport Manager to establish persistence and move laterally on the network, as well as maintain control over the compromised device.
Windows Quick Assist attacks are just the tip of the iceberg
The security advisory from Microsoft follows a growing trend of attackers exploiting remote desktop access software to carry out attacks.
With the advent of hybrid working models, remote access tools have become pervasive across corporate networks, and their level of access makes them useful tools for attackers if they can successfully exploit them.
In February 2024, a Trend Micro report found two high severity vulnerabilities in ConnectWise’s ScreenConnect product were being actively exploited by threat actors in the wild.
Similarly, Huntress issued a report in January 2024 on another popular remote access tool, TeamViewer, that was being used in a ransomware campaign to breach devices and deploy the Surprise ransomware.
RELATED WHITEPAPER
It was unclear at the time whether the attackers were exploiting a vulnerability in the TeamViewer software to gain unauthorized access to the target devices, or whether they were able to legitimately access the system using stolen credentials.
In the case of Quick Assist, the attackers did not even need to leverage security flaws in the tool itself, but use it as it was intended for malicious purposes.
As a result, Microsoft recommends users consider blocking or uninstalling Quick Assist and other remote management tools if they are not being actively used in your environment.

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
-
Should AI PCs be part of your next hardware refresh?
AI PCs are fast becoming a business staple and a surefire way to future-proof your business
By Bobby Hellard
-
Westcon-Comstor and Vectra AI launch brace of new channel initiatives
News Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
By Daniel Todd
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptake
News Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
By Nicole Kobie
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to know
News A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
By Solomon Klappholz
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz
-
Microsoft is increasing payouts for its Copilot bug bounty program
News Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
By Nicole Kobie
-
Hackers are using this new phishing technique to bypass MFA
News Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
By Solomon Klappholz
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFA
News Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
By Solomon Klappholz
-
Hackers are using Microsoft Teams to conduct “email bombing” attacks
News Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
By George Fitzmaurice
-
Microsoft files suit against threat actors abusing AI services
News Cyber criminals are accused of using stolen credentials for an illegal hacking as a service operation
By Solomon Klappholz