Microsoft Teams Relay Servers Abused in DragonForce Ransomware Attack

Summary

A new Go-based backdoor called Backdoor.Turn was discovered being used by the DragonForce ransomware group to maintain persistence after attacks. The malware uniquely abuses Microsoft Teams TURN relay servers for command-and-control, disguising malicious traffic as legitimate Teams communication. The backdoor was deployed in a December 2025 attack on a US services firm, where attackers used DLL sideloading, BYOVD techniques, and stolen credentials to establish deep system access before deploying ransomware.

Full text

A new backdoor deployed as part of a recent DragonForce ransomware attack is using Microsoft Teams relay servers for command-and-control (C&C), according to Broadcom’s Symantec and Carbon Black threat hunter team. The DragonForce group has been active since 2023, operating as a cartel structure and adopting highly advanced techniques in recent months, suggesting organizational maturity and significant resource allocation. Tracked as Backdoor.Turn, the newly identified malware is written in Go and hides its C&C server communication as legitimate Microsoft Teams traffic in a sophisticated manner. “Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real [C&C] server,” the threat hunters note. According to the researchers, this appears to be the first malware family to abuse the TURN relay infrastructure in this way. “It is relatively unusual to see ransomware attackers using their own custom tools, and it is particularly unusual to see them using a custom tool as sophisticated as Backdoor.Turn,” they note.Advertisement. Scroll to continue reading. The custom backdoor was used in an attack on a US services firm, which was likely compromised through an unknown vulnerability in an SQL or MSSQL server. DragonForce operators might have purchased access to the company from an access broker. According to Symantec and Carbon Black, the hackers accessed the victim network in December 2025, and relied on DLL sideloading to execute code that would fetch additional malware from remote servers. The hackers established persistence, secured access to the compromised environment, conducted reconnaissance, and employed a sophisticated BYOVD strategy to exploit known flaws in signed drivers, thereby obtaining kernel-level access and terminating security processes. They also deployed the DragonForce ransomware for data encryption and exfiltration, and the Backdoor.Turn malware to maintain persistence on the compromised systems after the ransomware is deployed. The backdoor enables threat actors to execute commands, create processes, perform network scanning and LDAP/AD mapping, move laterally using stolen credentials, and exfiltrate credentials from the browsers installed on the infected systems. “The attackers in this campaign use exceptionally sophisticated cyber tradecraft. The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors,” the researchers note. Related: Ransomware Attack Shuts Down Mills of Australia’s Second-Largest Sugar Producer Related: Ukrainian Man Pleads Guilty in US to Conti Ransomware Charges Related: FBI: Cybercrime Losses Neared $21 Billion in 2025 Related: Threat Actor Connected to Play, RansomHub and DragonForce Ransomware Operations Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Magnitude Emerges From Stealth Mode With $10 Million in FundingCybercrime Group Claims Novo Nordisk HackWhite House Issues Memo to Bolster NSS CybersecurityAtomic Arch Supply Chain Attack Hits 1,500 AUR PackagesTech Coalition ‘Athena’ Targets OSS Vulnerabilities Ahead of DisclosureNewCore Emerges From Stealth Mode With $66 Million in FundingUkrainian Man Pleads Guilty in US to Conti Ransomware ChargesShinyHunters Claims Council of Europe Hack Latest News Rockwell Automation Patches Vulnerabilities in ICS Controllers and SoftwareMicrosoft Working on Patch for ‘RoguePlanet’ Zero-DayOracle’s Second Monthly Security Updates Deliver 245 Patches Chrome and Firefox Updated to Patch Critical, High-Severity VulnerabilitiesJoomla, LiteSpeed Vulnerabilities Exploited in Attacks3 Recently Patched Fortinet FortiSandbox Vulnerabilities in Hacker CrosshairsiRhythm Confirms Data Stolen in HackHacker Conversations: Isira Adithya, the Evolution of an Ethical Hacker Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: How Modern Breaches Bypass MFA and Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation in the AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the MoveAnn Barron-DiCamillo has been named Executive Vice President and Global Chief Information Security Officer at U.S. Bank.Axonius has appointed Moshe Ben Simon as Chief Product Officer.Stephen Garcia has been named Chief Information Security Officer at BreachRx.More People On The MoveExpert Insights After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Backdoor.Turn
• malware — DragonForce ransomware

Entities