DragonForce Exploits Microsoft Teams Relays via Backdoor.Turn

Key Takeaways Stealth C2 Obfuscation: DragonForce threat actors obfuscated command-and-control traffic within Microsoft Teams' TURN relay servers utilizing Backdoor.Turn. First Documented: Backdoor.Turn represents the first identified malware strain to weaponize the Microsoft Teams TURN relay infrastructure for C2 communications. Operational Dwell Time: The actors maintained persistent access within the target network for one to two months, beginning in December 2025. Threat actors deploying DragonForce ransomware against a major U.S. services organization obfuscated command-and-control (C2) traffic within the Microsoft Teams relay infrastructure. The operation utilized a custom Go-based backdoor, identified by Symantec as Backdoor.Turn, the first documented malware exploiting Microsoft Teams TURN relay servers in this manner.

Mechanisms of Backdoor.Turn Evasion Backdoor.Turn acquires an anonymous Teams visitor token via Microsoft ’s Skype-backed identity services, utilizes a legitimate Microsoft TURN relay to establish the connection, and subsequently executes a QUIC session directed to the adversary's C2 server.

From a defensive perspective, the observable traffic is limited to outbound connections toward legitimate Teams servers, according to Symantec.

Attack chain | Source: Symantec The backdoor is injected into the legitimate DbgView64.exe process and was modeled after the Ghost Calls technique presented at Black Hat 2025. Its functional capabilities include:

Command execution, Network reconnaissance, LDAP/AD querying, Credential-based lateral movement, Browser credentials exfiltration. Defense Evasion and Initial Access Methodologies The threat group utilized Bring Your Own Vulnerable Driver (BYOVD) strategies, incorporating a novel Havoc Process Terminator that leverages Huawei 's HWAuidoOs2Ec.sys, whose vulnerable status was documented by Huntress after this attack happened. Additional exploited vulnerabilities include:

CVE-2023-52271 (Topaz Antifraud's wsftprm.sys), CVE-2025-61155 (Tower of Fantasy's Gamedriverx64.sys), CVE-2025-1055 (K7 Security Anti-Malware's K7RKScan.sys). Furthermore, the actors deployed Abyss Worker, a custom malicious driver masquerading as a Palo Alto driver, and conducted DLL hijacking against VirtualBox. Initial access was likely facilitated through the exploitation of SQL/MSSQL servers, potentially involving an initial access broker.

DragonForce has been operationally active since at least June 2023 and is attributed to the threat group tracked by Symantec as Hackledorb. The entity has transitioned from a ransomware-as-a-service (RaaS) model to a sophisticated cartel structure. In April 2025, DragonForce claimed expansion amid an alleged RansomHub takeover .

In April, UNC6692 was seen impersonating IT helpdesks on Microsoft Teams to deploy custom SNOW malware. A September 2025 report outlined an overlap in RansomHub, DragonForce, and Play ransomware operations, with Scattered Spider reportedly deploying DragonForce ransomware a few months earlier.