DragonForce ransomware gang has been found to abuse Microsoft Teams relays to hide malicious traffic, according to researchers at Symantec. The gang uses a custom malware named 'Backdoor.Turn' to distribute messages when a direct connection to the client is unavailable.
Abusing Microsoft Teams Infrastructure
The Backdoor.Turn malware abuses the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to distribute messages when a direct connection to the client is unavailable. This allows the malware to hide its communications within a trusted network.
According to Symantec, the hackers used custom Go-based malware in an attack against a major U.S. services company. The malware obtains an anonymous Teams visitor token, uses a legitimate Microsoft TURN relay during connection setup, and then connects to the attacker's command-and-control (C2) server.
Technique Similar to 'Ghost Calls'
Last year, Praetorian developed a new technique dubbed ‘Ghost Calls’, which showed how temporary TURN credentials for Teams and Zoom could be hijacked to create stealthy communication tunnels through trusted conferencing infrastructure. While Ghost Calls demonstrated the concept in 2025, Backdoor.Turn is the first known in-the-wild malware to abuse Microsoft Teams TURN relays for command-and-control communications.
Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams' TURN relay servers to mask command-and-control traffic.
Symantec also highlights the exploitation of Huawei’s HWAuidoOs2Ec.sys driver ("Havoc Process Terminator"), which is used for evasion in Bring Your Own Vulnerable Driver (BYOVD) tactics.
DragonForce Attacks
The attack, observed in December 2025, began likely with the exploitation of an unknown flaw in an SQL or MSSQL server, Symantec notes. Once the attacker established a foothold, they downloaded a ZIP archive containing a legitimate VirtualBox/DbgView executable and a malicious DLL file used for sideloading.
The attacker strengthened their persistence, created rogue users, abused the LimitBlankPassword security policy in Windows for easy access, and modified firewall rules. Next, they used BYOVD techniques with multiple drivers such as Huawei’s HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys (CVE-2025-1055), to obtain kernel-level privileges and terminate security tools on the host.
The hacker also used ABYSSWORKER, a custom malicious driver masquerading as a legitimate Palo Alto driver. The Backdoor.Turn remote access trojan (RAT) was injected into ‘DbgView64.exe’ after deploying the ransomware, suggesting that it might be intended for persistence or future access.
Malware Capabilities
The malware obtains an anonymous Teams visitor token using a legitimate Microsoft TURN relay server during connection setup and establishes communication with the C2. Its capabilities include command execution, process creation, network scanning, TLS certificate capturing, LDAP/Active Directory searching, website title collection, and browser credential theft.
After completing reconnaissance and evading defense, the attacker exfiltrated all data, deployed DragonForce ransomware, and encrypted the victim’s systems. The researchers say that the hackers behind "this campaign use exceptionally sophisticated cyber tradecraft."
Symantec has published a complete list of indicators of compromise (IoCs) to help defenders catch and block such attacks. Security teams are advised to test every layer before attackers do, as 54% of successful attacks are logged and only 14% are alerted on.
- Test every layer before attackers do
- Log 54% of successful attacks and alert on just 14%
- Breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection
Source: BleepingComputer