DragonForce ransomware is the first known malware to abuse Microsoft Teams' TURN relay servers for command-and-control, according to Symantec's threat researchers. The custom Go-based backdoor, named Backdoor.Turn, hides C2 traffic inside legitimate Teams infrastructure by obtaining an anonymous visitor token and connecting through a Microsoft TURN relay.
Symantec observed the attack in December 2025 against a major U.S. services company. Initial access likely came through an unknown flaw in an SQL or MSSQL server. The attackers then downloaded a ZIP archive containing a legitimate VirtualBox/DbgView executable and a malicious DLL for sideloading.
How Backdoor.Turn Exploits Teams TURN Relays
Backdoor.Turn abuses the Traversal Using Relays around NAT (TURN) protocol that Microsoft Teams uses when a direct peer-to-peer connection isn't available. The malware gets an anonymous Teams visitor token, uses a legitimate Microsoft TURN relay during connection setup, then routes traffic to the attacker's C2 server. Defenders see traffic associated with Microsoft Teams infrastructure, making the malicious communications blend into trusted network flows.
Last year Praetorian demonstrated "Ghost Calls," showing how temporary TURN credentials for Teams and Zoom could be hijacked. Backdoor.Turn is the first real-world implementation of that concept.
The Full Attack Chain from SQL Exploit to Encryption
After establishing a foothold, the attackers strengthened persistence by creating rogue users, abusing the LimitBlankPassword security policy in Windows, and modifying firewall rules. They then deployed multiple vulnerable drivers in a Bring Your Own Vulnerable Driver (BYOVD) attack to obtain kernel-level privileges and terminate security tools.
The driver list includes Huawei's HWAuidoOs2Ec.sys ("Havoc Process Terminator"), Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys (CVE-2025-1055). They also used ABYSSWORKER, a custom malicious driver masquerading as a legitimate Palo Alto driver.
Backdoor.Turn's RAT was injected into DbgView64.exe after deploying the ransomware, suggesting it's meant for persistence or future access. Its capabilities include command execution, process creation, network scanning, TLS certificate capturing, LDAP/Active Directory searching, website title collection, and browser credential theft. After reconnaissance and defense evasion, the attackers exfiltrated all data, deployed DragonForce ransomware, and encrypted the victim's systems.
Bring Your Own Vulnerable Driver: Evasion in Kernel Mode
Symantec highlights the exploitation of Huawei's HWAuidoOs2Ec.sys driver for evasion. BYOVD tactics let the attackers terminate security software from kernel mode, bypassing user-mode defenses. The use of multiple signed-but-vulnerable drivers shows a mature toolkit.
DragonForce has been active since at least 2023, operates with a cartel-style structure, and has links to the Scattered Spider threat group. Symantec describes the tradecraft behind this campaign as "exceptionally sophisticated."
Security teams should treat all Teams traffic with suspicion. Backdoor.Turn proves that trusted conferencing infrastructure is now a viable C2 channel, and defenders need to inspect TURN relay handshakes for anomalies rather than blindly trusting Microsoft's IP ranges.
Source: Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
Domain: bleepingcomputer.com
Comments load interactively on the live page.