DragonForce ransomware operators hid inside a major U.S. services firm for up to two months by routing command-and-control traffic through Microsoft Teams' own relay servers, Symantec and Carbon Black revealed on June 16. The technique is the first documented in-the-wild abuse of Teams' TURN relay infrastructure for malware C2. The group used a custom Go-based backdoor, tracked as Backdoor.Turn, that obtained an anonymous Teams visitor token from Microsoft's Skype-backed identity services.
The malware then used Microsoft's TURN relay to establish a connection before running a QUIC session to the attacker's real C2 server. To network defenders, the only visible traffic was outbound connections to Microsoft Teams servers.
The attack began in December 2025, with the intruders likely gaining access by exploiting a vulnerability in an SQL or MSSQL server. Evidence suggests access may also have been purchased from an access broker.
Once inside, the attackers downloaded a ZIP archive containing a VirtualBox/DbgView executable paired with a malicious DLL for sideloading. For defense evasion, the group used a multi-vector Bring Your Own Vulnerable Driver (BYOVD) strategy, exploiting signed but vulnerable drivers from Huawei, Topaz Antifraud, Tower of Fantasy, and K7 Security to gain kernel-level privileges and disable security tools. The Huawei driver was used in a novel technique called Havoc Process Terminator, which had not previously been observed in real-world attacks.
Huntress documented the driver's vulnerability in March 2026, after the intrusion. The group also used ABYSSWORKER, a custom malicious driver designed to masquerade as a Palo Alto Networks driver.
Backdoor.Turn's capabilities included command execution, network scanning, TLS certificate collection, LDAP and Active Directory searches, browser credential theft, and credential-based lateral movement. Security analysts believe the backdoor was injected into the DbgView64.exe process after the ransomware was deployed, suggesting it may have been intended to maintain long-term access or be resold to other cybercriminal groups.
"The deployment of Backdoor.Turn, combined with their multi-vector BYOVD evasion, marks them as one of the most capable and persistent ransomware groups operating today," the researchers concluded. The concept of abusing conferencing TURN credentials was demonstrated in 2025 through Praetorian's Ghost Calls research, but Backdoor.Turn is the first known malware to weaponize the technique in a live attack. "To our knowledge this is the first time TURN relay infrastructure has been abused this way in the wild," Symantec said.
Symantec has published indicators of compromise tied to the December 2025 intrusion to help defenders detect related activity from the ransomware-as-a-service group, which has operated since at least 2023 with links to the Scattered Spider threat ecosystem.
