DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

Summary

Threat actors linked to the DragonForce ransomware have been observed using a custom Go-based RAT, Backdoor.Turn, to conceal command-and-control (C2) traffic within Microsoft Teams relay infrastructure. This sophisticated technique allows attackers to blend malicious communications with legitimate traffic, making detection difficult for network defenders. The attackers gained initial access to a U.S. services firm, likely through an SQL server vulnerability or an initial access broker, and remained undetected for one to two months.

Full text

DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic Ravie LakshmananJun 18, 2026Remote Access Trojan / Ransomware Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure. According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was not disclosed. "Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control (C2) server," the Threat Hunter Team said in a report shared with The Hacker News. "To network defenders, the only traffic they could see was outbound connections to legitimate Microsoft Teams servers. The attackers were on the victim network for between one and two months." The development marks the first publicly documented instance of the threat actors abusing Microsoft's Traversal Using Relays around NAT (TURN) relay infrastructure. It's suspected the threat actor obtained initial access by exploiting a vulnerability in either an SQL or MS-SQL server, although the exact nature of the flaw is unknown. It's also possible that the access was acquired from an initial access broker (IAB). Initial malicious activity on the victim network began in December 2025, with the attackers running a PowerShell command to drop a ZIP archive under the pretext of a tech support hotfix. The ZIP file responsible for launching a DLL side-loading attack, which then runs a rogue DLL to conduct reconnaissance, set up persistence, and silence security software using a Huawei driver ("HWAuidoOs2Ec.sys"). This is achieved by means of an attack technique called bring your own vulnerable driver (BYOVD) technique. The driver has been put to use in a large-scale malvertising campaign targeting U.S.-based individuals searching for tax-related documents, although this is said to have taken place after the ransomware incident. Some of the other drivers used for this purpose are listed below - wsftprm.sys (CVE-2023-52271) GameDriverX64.sys (CVE-2025-61155) K7RKScan.sys (CVE-2025-1055) ABYSSWORKER, a custom-built malicious driver previously observed in Medusa ransomware attacks What's notable about the attack is the execution of Backdoor.Turn by injecting it into the legitimate "DbgView64.exe" process after the DragonForce ransomware has been deployed. This suggests an attempt to maintain continued access to the compromised host for later attacks or reselling it for profit. Backdoor.Turn's underlying TURN-based mechanism leans on a stealthy C2 communication technique called Ghost Calls that was documented by Praetorian in August 2024. The backdoor supports a wide range of capabilities, including command execution, process creation, network scanning, LDAP and Active Directory search, credential-based lateral movement, and browser credential theft. "The backdoor requests a visitor token from the Microsoft Teams/Skype backend, uses that token to interact with Teams-associated infrastructure (TURN relay), and then establishes outbound connectivity," Symantec and Carbon Black explained. "It obtains a Teams visitor (anonymous) authentication token backed by Skype identity services. It then uses a legitimate Microsoft server as the TURN relay server during connection setup. After relay-assisted setup, the malware establishes a direct QUIC session to the C&C server, which is malicious." The findings paint a picture of a hacking group leaning on sophisticated cyber tradecraft to pull off high-impacted targeted attacks, while leaving victims in the dark about covert data exfiltration. This is particularly significant as Hackledorb, the threat actor behind DragonForce, has pivoted from a conventional ransomware-as-a-service (RaaS) model to a highly organized, formalized cartel structure. "The operational timeline reveals a pattern of continuous capability development, with the adoption of highly advanced techniques becoming a hallmark of their post-2025 activity," the company said. "The deployment of Backdoor.Turn, combined with their multi-vector BYOVD evasion, marks them as one of the most capable and persistent ransomware groups operating today." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  BYOVD, Carbon Black, Command and Control, DragonForce, Microsoft Teams, QUIC, ransomware, Remote Access Trojan, Symantec ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

• malware — Backdoor.Turn
• malware — DragonForce
• mitre_attack — T1059.001
• mitre_attack — T1574.002
• mitre_attack — T1070.004
• mitre_attack — T1204.002
• mitre_attack — T1055.012
• mitre_attack — T1071.001
• mitre_attack — T1090.003
• mitre_attack — T1555.003
• mitre_attack — T1018
• mitre_attack — T1558.003
• mitre_attack — T1041

Entities