DragonForce ransomware used a custom malware named 'Backdoor.Turn' to hide command-and-control traffic inside Microsoft Teams relay infrastructure.

The backdoor abuses the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to distribute messages when a direct connection to the client is unavailable (e.g., clients on a private network).

DragonForce is a ransomware operation active since at least 2023, that adopted a cartel-style organizational structure and has been linked to the infamous Scattered Spider threat group.

According to researchers at the cybersecurity company Symantec, the hackers used custom Go-based malware in an attack against a major U.S. services company.

Backdoor.Turn abuses Teams' TURN infrastructure by obtaining an anonymous Teams visitor token, using a legitimate Microsoft TURN relay during connection setup, and then connecting to the attacker's command-and-control (C2) server.

As a result, defenders see traffic associated with the Microsoft Teams infrastructure, allowing the malware to hide its communications within a trusted network.

Last year, Praetorian developed a new technique dubbed ‘Ghost Calls’, which showed how temporary TURN credentials for Teams and Zoom could be hijacked to create stealthy communication tunnels through trusted conferencing infrastructure.

While Ghost Calls demonstrated the concept in 2025, Backdoor.Turn is the first known in-the-wild malware to abuse Microsoft Teams TURN relays for command-and-control communications.

“Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams' TURN relay servers to mask command-and-control traffic,” Symantec says.

The researchers also highlight the exploitation of Huawei’s HWAuidoOs2Ec.sys driver ("Havoc Process Terminator"), which is used for evasion in Bring Your Own Vulnerable Driver (BYOVD) tactics.

DragonForce attacks

The attack, observed in December 2025, began likely with the exploitation of an unknown flaw in an SQL or MSSQL server, Symantec notes.

Once the attacker established a foothold, they downloaded a ZIP archive containing a legitimate VirtualBox/DbgView executable and a malicious DLL file used for sideloading.

At this stage, the attacker strengthened their persistence, created rogue users, abused the LimitBlankPassword security policy in Windows for easy access, and modified firewall rules.

Next, they used BYOVD techniques with multiple drivers such as Huawei’s HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys (CVE-2025-1055), to obtain kernel-level privileges and terminate security tools on the host.

The hacker also used ABYSSWORKER, a custom malicious driver masquerading as a legitimate Palo Alto driver.

The Backdoor.Turn remote access trojan (RAT) was injected into ‘DbgView64.exe’ after deploying the ransomware, suggesting that it might be intended for persistence or future access.

The malware obtains an anonymous Teams visitor token using a legitimate Microsoft TURN relay server during connection setup and establishes communication with the C2.

Its capabilities include command execution, process creation, network scanning, TLS certificate capturing, LDAP/Active Directory searching, website title collection, and browser credential theft.

After completing reconnaissance and evading defense, the attacker exfiltrated all data, deployed DragonForce ransomware, and encrypted the victim’s systems.

The researchers say that the hackers behind "this campaign use exceptionally sophisticated cyber tradecraft."

Symantec has published a complete list of indicators of compromise (IoCs) to help defenders catch and block such attacks.