DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Open C2 Traffic
Threat actors associated with DragonForce ransomware have been spotted using a Go-based remote access Trojan (RAT) called. Backdoor.Turn to encrypt Command-and-control (C2) traffic within the Microsoft Teams relay infrastructure.
According to the findings of Broadcom-owned Symantec and Carbon Black, a backdoor was used against a major US services firm. The name of the company has not been disclosed.
“Backdoor.Turn receives an anonymous Group guest token from Microsoft’s Skype-supported identity services, uses a Microsoft TURN relay to set up a connection, and runs a QUIC session on the attacker’s real-mad-control (C2) server,” the Threat Hunting Team said in a report shared with Hacker News.
“For network defenders, the only traffic they saw was outgoing communications from official Microsoft Teams servers. The attackers were on the victim’s network for between one and two months.”
This development marks the first publicly documented incident of threat actors abusing Microsoft’s Traversal Using Relays around NAT (TURN) transfer infrastructure.
It is suspected that a threat actor gained initial access by exploiting a vulnerability in SQL or MS-SQL Server, although the nature of the flaw is unknown. It is also possible that access was obtained from an initial access broker (IAB).
The first malicious activity on the victim’s network began in December 2025, attackers using a PowerShell command to dump a ZIP archive under the pretext of a technical support hotfix. A ZIP file responsible for launching a DLL sideloading attack, which then uses the malicious DLL to inspect, stop persistence, and silence security software using the Huawei driver (“HWAuidoOs2Ec.sys”).
This is accomplished through an attack method called bring your own vulnerable driver (BYOVD). This driver has been used in a major fraud campaign against US citizens seeking tax-related documents, although this is said to have happened after the ransomware incident.
Some drivers used for this purpose are listed below –
Note about the attack is the implementation of the Backdoor. Change it by injecting it into the legitimate process of “DbgView64.exe” after the DragonForce ransomware has been extracted. This suggests an attempt to maintain continuous access to a vulnerable host for later attack or resale for profit.
Backdoor.Turn’s TURN-based foundation TURN’s method relies on a hacking C2 communication method called Ghost Calls that was written by Praetorian in August 2024. The backdoor supports a variety of capabilities, including command execution, process creation, network scanning, LDAP and Active Directory searches, authentication-based authentication, and browser authentication.
“The backdoor requests a guest token from the Microsoft Teams/Skype backend, uses that token to communicate with Teams-related infrastructure (TURN relay), and establishes an outbound connection,” Symantec and Carbon Black explained.
“It obtains a Teams (anonymous) guest authentication token supported by Skype identity services. It then uses an official Microsoft server as a TURN relay server during connection setup. After relay-assisted setup, the malware establishes a direct QUIC session to the C&C server, which is malicious.”
The findings paint a picture of a hacker group that relies on sophisticated cyber-trafficking to launch high-impact targeted attacks, while leaving victims in the dark about confidential data leaks. This is especially important since Hackledorb, the threat actor behind DragonForce, has moved from a traditional ransomware-as-a-service (RaaS) model to a more structured, legitimate cart structure.
“The operational timeline shows a pattern of continuous energy development, with the adoption of more advanced techniques becoming a hallmark of their post-2025 operation,” the company said. “The use of Backdoor.Turn, combined with multi-vector BYOVD evasion, positions them as one of the most skilled and persistent ransomware groups operating today.”
