DragonForce ransomware hides in Microsoft Teams traffic

Key Takeaways

• DragonForce ransomware deployed Backdoor.Turn, the first known malware to abuse Microsoft Teams TURN relays for command-and-control communication
• 100% of the malicious TURN-based traffic appears as legitimate Microsoft domain connections, bypassing perimeter security
• The attack chain combines SQL exploitation, vulnerable driver abuse, and credential theft before encrypting victim systems

The DragonForce ransomware group has deployed a custom backdoor that hides malicious command-and-control traffic inside Microsoft Teams infrastructure. Symantec researchers discovered the technique during an attack on a major U.S. services company in December 2025, marking the first known in-the-wild abuse of Teams' TURN relay servers for C2 communications.

The malware, dubbed Backdoor.Turn, exploits the Traversal Using Relays around NAT (TURN) protocol that Microsoft Teams uses to route messages when direct client connections fail. By obtaining an anonymous Teams visitor token and connecting through legitimate Microsoft TURN relays, the backdoor makes all its traffic appear as standard Teams communications. Defenders monitoring network flows see only connections to trusted Microsoft domains.

How does the Teams relay attack work?

The technique builds on research published in 2025 by security firm Praetorian. Their "Ghost Calls" proof-of-concept demonstrated how temporary TURN credentials for Teams and Zoom could create stealthy communication tunnels through trusted conferencing infrastructure. DragonForce took the concept and weaponized it.

Backdoor.Turn is written in Go and functions as a full remote access trojan. Its capabilities include command execution, process creation, network scanning, TLS certificate capture, LDAP and Active Directory searches, website title collection, and browser credential theft. The researchers noted that attackers remained undetected within target environments for approximately two months using this relay technique.

The full attack chain

Symantec's analysis traces the December 2025 attack from initial access to ransomware deployment. The intrusion likely began with exploitation of a vulnerability in an SQL or MSSQL server. Once inside, the attackers downloaded a ZIP archive containing a legitimate VirtualBox/DbgView executable alongside a malicious DLL for sideloading.

The attackers then established persistence through multiple methods: creating rogue user accounts, abusing Windows' LimitBlankPassword security policy for easy access, and modifying firewall rules. They deployed Bring Your Own Vulnerable Driver (BYOVD) attacks using four different drivers to obtain kernel-level privileges and kill security tools.

• Huawei HWAuidoOs2Ec.sys ("Havoc Process Terminator")
• Topaz Antifraud wsftprm.sys (CVE-2023-52271)
• Tower of Fantasy GameDriverx64.sys (CVE-2025-61155)
• K7 Security K7RKScan.sys (CVE-2025-1055)

The group also deployed ABYSSWORKER, a custom malicious driver disguised as a legitimate Palo Alto driver. After exfiltrating data and establishing the Teams-based C2 channel, they encrypted the victim's systems with DragonForce ransomware.

Who is DragonForce?

DragonForce has operated since at least 2023 and runs what researchers describe as a cartel-style organizational structure. The group has been linked to Scattered Spider, a threat actor known for social engineering attacks against large enterprises including MGM Resorts and Caesars Entertainment.

Symantec characterized the campaign as using "exceptionally sophisticated cyber tradecraft." The combination of zero-day or unknown vulnerability exploitation, multiple BYOVD techniques, and now a novel C2 evasion method suggests a well-resourced operation with access to skilled developers.

Why is this hard to defend against?

Security teams face a difficult tradeoff. Blocking or heavily inspecting Microsoft Teams traffic could break essential business communications. The TURN protocol exists precisely to ensure connectivity when direct connections fail, and many organizations whitelist Microsoft's infrastructure by default.

Community discussions on Reddit and Hacker News point to behavior-based endpoint analysis and stricter egress filtering as potential mitigations. But neither is simple to implement without generating false positives or disrupting legitimate collaboration tools.

Symantec has published indicators of compromise for Backdoor.Turn and the associated attack tools. Security teams monitoring for the specific drivers and DLL sideloading patterns may catch intrusions before the C2 channel activates.

Frequently Asked Questions

What is Backdoor.Turn malware?

Backdoor.Turn is a Go-based remote access trojan developed by the DragonForce ransomware group. It disguises command-and-control communications as legitimate Microsoft Teams relay traffic by abusing the TURN protocol.

How does the Microsoft Teams TURN relay attack evade detection?

The malware obtains an anonymous Teams visitor token and routes traffic through legitimate Microsoft TURN relay servers. Network monitoring tools see only connections to trusted Microsoft infrastructure, allowing the malicious traffic to blend in.

Which vulnerable drivers did DragonForce exploit?

The attackers used BYOVD techniques with Huawei HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys, Tower of Fantasy GameDriverx64.sys, and K7 Security K7RKScan.sys to gain kernel privileges and disable security tools.

Is Microsoft Teams itself compromised?

No. The attack abuses the TURN protocol's intended functionality rather than exploiting a vulnerability in Microsoft Teams. The protocol is designed to relay traffic when direct connections fail.

How can organizations detect this type of attack?

Symantec has published indicators of compromise. Organizations should monitor for suspicious DLL sideloading, the specific vulnerable drivers used in the attack chain, and unusual endpoint behavior even when network traffic appears legitimate.

Source: BleepingComputer