Cybercriminals mask malicious communications through Microsoft Teams relays
The DragonForce ransomware group used a custom malware called Backdoor.Turn to hide command-and-control traffic inside Microsoft Teams relay infrastructure during an intrusion at a U.S. services company, according to Symantec.
DragonForce is a ransomware-as-a-service operation that has been active since 2023. The group provides affiliates with ransomware tools and supporting services in exchange for a share of ransom payments.
First known abuse of Microsoft Teams TURN infrastructure
“Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control (C2) server,” Symantec explained.
Because the malware relied on legitimate Microsoft Teams infrastructure during the communication process, defenders monitoring network traffic would primarily see outbound connections to legitimate Microsoft servers. The attackers remained on the victim network for between one and two months.
“To our knowledge this is the first time TURN relay infrastructure has been abused this way in the wild.”
Attackers used DLL sideloading and BYOVD techniques
The activity, first observed in December 2025, appears to have started with the exploitation of a vulnerable SQL or Microsoft SQL Server system, although researchers could not determine the exact entry point and noted that the access may have been obtained from an access broker.
Once inside the network, the attackers downloaded a ZIP archive containing a legitimate VirtualBox/DbgView executable and a malicious DLL used for sideloading.
“When executed, the malicious vboxrt.dll downloads code from a list of servers, and that malicious code is used for numerous things, such as securing access, reconnaissance, and evading detection.”
At this stage, the attackers created additional user accounts, modified the LimitBlankPassword setting in Windows to simplify access to compromised machines, and changed firewall rules.
For defense evasion, the attackers used BYOVD techniques to gain kernel-level privileges and disable security tools. The drivers involved included Huawei’s HWAuidoOs2Ec.sys, Topaz Antifraud’s wsftprm.sys (CVE-2023-52271), Tower of Fantasy’s GameDriverx64.sys (CVE-2025-61155), and K7 Security’s K7RKScan.sys (CVE-2025-1055).
Symantec said the Huawei driver was used as part of a novel attack dubbed “Havoc Process Terminator” and had not previously been observed being exploited in attacks. Researchers at Huntress documented the driver’s vulnerable status in March 2026, after the intrusion took place.
The attackers also used ABYSSWORKER, a custom-built malware driver designed to masquerade as a legitimate Palo Alto Networks driver.
Following reconnaissance and defense-evasion activities, the attackers exfiltrated data and deployed the DragonForce ransomware payload.
Backdoor.Turn deployed after ransomware attack
The Backdoor.Turn remote access trojan (RAT) was injected into the legitimate DbgView64.exe process after the ransomware was deployed, suggesting it may be intended to maintain access to compromised systems or support future intrusions.
Backdoor.Turn can execute commands, launch processes, scan networks, capture TLS certificate information, search LDAP and Active Directory environments, move laterally through the network using stolen credentials, and steal browser credentials from compromised systems.
“The deployment of Backdoor.Turn, combined with their multi-vector BYOVD evasion, marks them as one of the most capable and persistent ransomware groups operating today,” the researchers concluded.
Symantec has published indicators of compromise (IoCs) associated with the activity to help organizations detect and respond to related attacks.