Ransomware Gang Exploits Microsoft Teams Relays to Bypass Security and Hide Malicious Traffic
A ransomware operation known as DragonForce has deployed a custom malware strain called ‘Backdoor.Turn’ to conceal command-and-control (C2) communications within Microsoft Teams relay systems.
Overview of DragonForce and Backdoor.Turn
The malware exploits the Traversal Using Relays around NAT (TURN) protocol, which Microsoft Teams uses to facilitate message delivery when direct client connections are blocked, such as in private network environments. DragonForce, a ransomware campaign active since 2023, operates with a cartel-like structure and has ties to the Scattered Spider threat group. Researchers at Symantec identified the group’s use of Go-based malware in an attack targeting a large U.S. services company. Backdoor.Turn functions by acquiring an anonymous Teams visitor token and utilizing a legitimate Microsoft TURN relay during connection setup before linking to the attacker’s C2 server. This method masks the malware’s traffic as legitimate Teams activity, enabling it to bypass network defenses. In 2025, Praetorian demonstrated a technique called Ghost Calls, which highlighted the potential to hijack temporary TURN credentials for Teams and Zoom to create covert communication channels. However, Backdoor.Turn represents the first confirmed instance of malware in active use that employs Microsoft Teams’ TURN relays for C2 traffic. The malware, a Go-based remote access trojan (RAT), is designed to exploit Microsoft Teams’ infrastructure to hide its operations. Symantec also noted the use of the Huawei HWAuidoOs2Ec.sys driver, dubbed “Havoc Process Terminator,” as part of Bring Your Own Vulnerable Driver (BYOVD) tactics to evade security measures.
Attack Timeline and Methods
The assault, observed in December 2025, began with the exploitation of an unpatched vulnerability in an SQL or MSSQL server. Once initial access was gained, the attackers established persistence by creating rogue user accounts, leveraging the LimitBlankPassword Windows security policy for easy entry, and modifying firewall rules. The threat actors then deployed BYOVD techniques using multiple drivers, including Huawei’s HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys (CVE-2025-1055), to achieve kernel-level privileges and disable security tools. A custom malicious driver named ABYSSWORKER, disguised as a Palo Alto Networks component, was also utilized. After deploying the ransomware, Backdoor.Turn was injected into DbgView64.exe, indicating potential long-term access or future operations. The malware’s capabilities include executing commands, creating processes, scanning networks, capturing TLS certificates, querying LDAP/Active Directory, collecting website titles, and stealing browser credentials. Following reconnaissance and evasion of defenses, the attackers exfiltrated data, deployed DragonForce ransomware, and encrypted the victim’s systems.
Indicators of Compromise (IoCs)
Indicators of compromise (IoCs) have been published by Symantec to assist organizations in detecting and mitigating similar attacks. The incident underscores the growing use of legitimate infrastructure to mask malicious activity, requiring enhanced monitoring of network traffic patterns and protocol usage.
About Author
English