DragonForce Unleashes Hackers’ Microsoft Teams Relay Tactics to Conceal Backdoor.Turn C2 Traffic

DragonForce Ransomware Group Exploits Microsoft Teams Infrastructure with Backdoor.Turn RAT

Recent reports have uncovered that threat actors linked to the DragonForce ransomware group have been utilizing a unique Go-based remote access trojan (RAT) known as Backdoor.Turn to mask their command-and-control (C2) communications within Microsoft Teams relay infrastructure.

Research conducted by Symantec and Carbon Black revealed that this backdoor was deployed in an attack against a prominent U.S. services firm, although the specific company remains undisclosed.

“Backdoor.Turn acquires an anonymous Teams visitor token from Microsoft’s Skype-powered identity services, leverages a legitimate Microsoft TURN relay for connection establishment, and initiates a QUIC session to the attacker’s true command-and-control (C2) server,” stated The Threat Hunter Team in a report shared with The Hacker News.

During the breach, the malicious actors were able to maintain persistence on the victim’s network for a duration of one to two months, masking their activities behind outbound connections to authentic Microsoft Teams servers.

Exploiting Microsoft’s TURN Relay Infrastructure

This incident marks the first known instance of threat actors misusing Microsoft’s Traversal Using Relays around NAT (TURN) relay infrastructure for malicious purposes.

Initial access to the victim network is believed to have been gained through the exploitation of a vulnerability in an SQL or MS-SQL server, with the possibility of involvement of an initial access broker (IAB) as well.

Timeline of Malicious Activities

The nefarious activities commenced in December 2025, with the attackers executing a PowerShell command to drop a deceptive ZIP archive posing as a tech support hotfix. This ZIP file facilitated a DLL side-loading attack, enabling the execution of a rogue DLL to carry out reconnaissance, establish persistence, and disable security software using a Huawei driver (“HWAuidoOs2Ec.sys”).

The attack methodology included the utilization of a bring your own vulnerable driver (BYOVD) technique, with the Huawei driver being utilized in a large-scale malvertising campaign targeting U.S.-based individuals seeking tax-related documents.

Advanced Attack Techniques

One noteworthy aspect of the attack was the deployment of Backdoor.Turn by injecting it into the legitimate “DbgView64.exe” process post the deployment of the DragonForce ransomware. This indicates an effort to sustain persistent access to the compromised host for future attacks or potential resale in underground markets.

Backdoor.Turn’s underlying TURN-based approach relies on a stealthy C2 communication technique called Ghost Calls, previously documented by Praetorian in August 2024. The RAT boasts a variety of capabilities, including command execution, process creation, network scanning, LDAP and Active Directory searches, lateral movement using credentials, and theft of browser credentials.

Evolution of DragonForce Ransomware Group

The findings underscore the DragonForce group’s adoption of sophisticated cyber tactics to conduct highly impactful targeted attacks, all while concealing covert data exfiltration from victims. The group has transitioned from a conventional ransomware-as-a-service (RaaS) model to a structured cartel setup, with a focus on continuous capability enhancement.

“The deployment of Backdoor.Turn, alongside their multi-vector BYOVD evasion, positions them as one of the most adept and persistent ransomware groups operating today,” stated Symantec and Carbon Black.