DragonForce Hid Inside Microsoft Teams and Nobody Noticed for Two Months

Pierluigi Paganini
June 17, 2026

DragonForce hid for months by routing malware traffic through Microsoft Teams infrastructure, masking C2 activity and evading network detection.

DragonForce ransomware operators hit a major U.S. services firm and stayed hidden for one to two months by routing their command-and-control traffic through Microsoft’s own Teams relay servers. Symantec’s threat hunters tracked the custom backdoor they used as Backdoor.Turn. To any defender watching the network, the traffic looked like normal Teams activity.

“Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control server.” reads the report published by Symantec. “To our knowledge this is the first time TURN relay infrastructure has been abused this way in the wild. It is relatively unusual to see ransomware attackers using their own custom tools, and it is particularly unusual to see them using a custom tool as sophisticated as Backdoor.Turn.

This is the first known malware to abuse TURN relay infrastructure this way. The technique was inspired by the Ghost Calls method presented at Black Hat in 2025, which focused on C&C communication that’s hard to profile from the network side.

The backdoor is written in Go and injected into the legitimate DbgView64.exe process. The malicious payload can execute commands, scan networks, map Active Directory, move laterally with stolen credentials, and pull passwords from browsers.

The attackers got in through what appears to be a vulnerability in an SQL or MSSQL server, though the exact flaw is still unknown. They may have bought access from a broker. Once inside, starting December 2025, they dropped a .zip archive containing a legitimate VirtualBox executable paired with a malicious DLL designed to sideload and fetch additional payloads from remote servers.

For defense evasion, they used the Bring Your Own Vulnerable Driver (BYOVD) technique against multiple signed drivers, including a novel attack on Huawei’s HWAuidoOs2Ec.sys. That driver’s vulnerable status had been documented by Huntress in March 2026, after this attack already happened.

“This driver wasn’t known to be exploited like this in the wild prior to this attack, though its vulnerable status was documented by researchers at Huntress in March 2026, after this attack happened.” states the report.

They also deployed a custom-built malicious driver disguised as a legitimate Palo Alto driver, which doesn’t even fit the standard BYOVD definition since it wasn’t a legitimate driver to begin with.

DragonForce has been active since at least June 2023 and has since moved from a standard ransomware-as-a-service model to a cartel structure. Backdoor.Turn gets installed after the ransomware runs, which suggests the group is either maintaining persistence for a follow-up intrusion or selling access to other attackers.

“The attackers in this campaign use exceptionally sophisticated cyber tradecraft. The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors.” concludes the report. “The exploitation of a driver that was not at the time known to be vulnerable (Havoc Process Terminator) also demonstrates a strong level of expertise and sophistication on behalf of the attackers.”

DragonForce has been active since at least 2023. The cybercrime group has evolved from a traditional ransomware-as-a-service operation into a structured cybercrime cartel. According to Symantec, the group has steadily expanded its capabilities, adopting advanced techniques such as the Backdoor.Turn malware and sophisticated BYOVD evasion methods. Its growing operational maturity, resources, and focus on targeted attacks position DragonForce among today’s most capable and persistent ransomware threats. (315 characters)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon