DragonForce Ransomware Abuses Microsoft Teams TURN Relays to Hide C2 Traffic
DragonForce ransomware is the first known malware to abuse Microsoft Teams' TURN relay infrastructure to mask command-and-control traffic, evading network detection.
The DragonForce ransomware gang has deployed a custom backdoor named 'Backdoor.Turn' that tunnels command-and-control (C2) traffic through Microsoft Teams relay infrastructure, marking the first known in-the-wild malware to abuse this trusted platform. The technique, detailed by Symantec researchers, allows the malware to blend malicious communications with legitimate Teams traffic, making it extremely difficult for network defenders to detect.
Backdoor.Turn exploits the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to relay messages when direct connections are unavailable, such as for clients on private networks. The malware obtains an anonymous Teams visitor token, uses a legitimate Microsoft TURN relay during connection setup, and then establishes communication with the attacker's C2 server. As a result, security tools see traffic associated with Microsoft Teams infrastructure, effectively hiding the malicious activity.
While the concept of abusing TURN credentials was demonstrated last year by Praetorian in a technique called 'Ghost Calls,' Backdoor.Turn is the first real-world malware to implement this evasion method. Symantec notes that the attack, observed in December 2025, targeted a major U.S. services company. The initial compromise likely began with the exploitation of an unknown flaw in an SQL or MSSQL server.
Once inside, the attackers downloaded a ZIP archive containing a legitimate VirtualBox/DbgView executable and a malicious DLL for sideloading. They strengthened persistence, created rogue users, abused the LimitBlankPassword security policy, and modified firewall rules. The hackers then used Bring Your Own Vulnerable Driver (BYOVD) techniques with multiple drivers—including Huawei's HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys (CVE-2025-1055)—to obtain kernel-level privileges and terminate security tools.
The Backdoor.Turn remote access trojan (RAT) was injected into 'DbgView64.exe' after deploying the ransomware, suggesting it may be intended for persistence or future access. Its capabilities include command execution, process creation, network scanning, TLS certificate capturing, LDAP/Active Directory searching, website title collection, and browser credential theft. After completing reconnaissance and evading defenses, the attackers exfiltrated data and deployed DragonForce ransomware, encrypting the victim's systems.
DragonForce is a ransomware operation active since at least 2023, known for a cartel-style organizational structure and links to the Scattered Spider threat group. Symantec has published a full list of indicators of compromise (IoCs) to help defenders detect and block such attacks. This novel abuse of Microsoft Teams infrastructure highlights a growing trend of attackers leveraging trusted SaaS platforms for stealthy C2 communications.
A new report from Symantec and Carbon Black, published on June 16, 2026, details a real-world attack against a major US services firm where DragonForce operators used the Backdoor.Turn RAT to hide C2 traffic within Microsoft Teams for up to two months before deploying ransomware. The attackers also exploited an undocumented Huawei driver vulnerability (later disclosed by Huntress in March 2026) and removed the Limit Blank Password security setting to maintain persistence. This incident, which occurred in 2025, marks the first known in-the-wild use of the Teams TURN relay abuse technique, confirming earlier technical warnings about the method's viability.
Symantec's report provides deeper technical details on the intrusion, revealing that DragonForce used DLL sideloading via a legitimate VirtualBox/DbgView executable and deployed multiple BYOVD drivers—including a previously undocumented abuse of Huawei's HWAuidoOs2Ec.sys in a novel attack dubbed 'Havoc Process Terminator'—to disable security tools. The attackers also deployed a custom kernel driver, ABYSSWORKER, masquerading as a legitimate Palo Alto Networks driver, and maintained persistence on the victim network for one to two months before exfiltrating data and deploying ransomware. Notably, the Backdoor.Turn RAT was injected into the legitimate DbgView64.exe process after the ransomware deployment, suggesting it was intended to maintain long-term access for future intrusions.
Symantec's analysis reveals that the DragonForce ransomware attack on a major U.S. services firm used the Backdoor.TURN RAT, which requests an anonymous visitor token from Microsoft's Skype-backed identity services to authenticate with Teams infrastructure and establish a relay session. The attackers employed a BYOVD technique exploiting the Huawei driver HWAuidoOs2Ec.sys and drivers tied to CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055, along with a custom driver Abyss Worker disguised as a legitimate Palo Alto driver. This marks the first known real-world abuse of Microsoft Teams TURN relay for covert communication, inspired by Black Hat 2025 'Ghost Calls' research.
A new Symantec report identifies the victim as a major US services company and provides deeper operational details: the intrusion began with initial access, after which the DragonForce operators spent two months inside the network before deploying the custom Go-based backdoor Backdoor.Turn. The attackers installed the backdoor after deploying DragonForce ransomware, suggesting they wanted persistent access for follow-on attacks or to sell access to other criminals. Symantec confirmed the backdoor first requests an anonymous visitor token from Microsoft Teams and Skype services, then uses a Microsoft TURN relay server before establishing a direct QUIC connection to a malicious command-and-control server.