Cybercriminals associated with the DragonForce ransomware group have recently infiltrated a U.S.-based service firm, employing Microsoft Teams’ relay infrastructure to mask their malicious activities effectively.
Research conducted by teams from Broadcom’s Symantec and Carbon Black has revealed that the attackers leveraged a newly discovered, specially crafted backdoor to disguise their communications as legitimate business traffic.
The Malicious Backdoor
This custom-built tool, identified as Backdoor.Turn, is a Go-based backdoor specifically engineered to conceal command-and-control traffic within the trusted communication channels of Microsoft Teams.
As per the researchers, Backdoor.Turn secures an anonymous visitor token from Microsoft Teams and utilizes Microsoft’s TURN relay infrastructure, routing traffic through authentic Microsoft servers before establishing a connection to the attackers’ command-and-control server. This tactic complicates detection for network administrators, who may interpret the traffic as standard Microsoft Teams communication rather than a signal of an ongoing cyber intrusion. Researchers noted that this represents a pioneering approach in malware techniques by exploiting TURN relay systems.
How the Attackers Gained Access
The infiltration into the U.S. firm’s network reportedly began in December 2025, likely stemming from the exploitation of an undisclosed vulnerability in an SQL or MSSQL server. There is also speculation that access might have been procured through an initial access broker.
Once inside, the attackers employed DLL sideloading to execute their payload. In this case, they manipulated a legitimate VirtualBox executable to load a malicious DLL, allowing the malware to operate through a trusted process and evade immediate detection.
Bypassing Defenses and Deploying Ransomware
The attackers remained undetected within the network for a month to two months before deploying ransomware. During this period, they altered firewall settings and system configurations to ensure continued access and set the stage for subsequent attack phases.
In their efforts to disable security mechanisms, the attackers implemented bring-your-own-vulnerable-driver (BYOVD) techniques, using legitimate yet vulnerable drivers to gain elevated system access. Their toolkit included a new tool named Havoc Process Terminator, which they utilized to exploit a Huawei audio driver, identified as HWAudioOs2Ec.sys. They also took advantage of three documented vulnerabilities: CVE-2023-52271 for Topaz Antifraud, CVE-2025-61155 associated with Tower of Fantasy, and CVE-2025-1055 related to K7 Security Anti-Malware. Additionally, they employed Abyss Worker, a malicious driver disguise masquerading as a Palo Alto Networks security component.
Following this preparatory phase, as detailed in the company’s blog post, the attackers proceeded to exfiltrate sensitive documents and encrypt systems using DragonForce ransomware. They subsequently utilized Backdoor.Turn to maintain access, pilfer browser credentials, or potentially resell access to the breached network.
The conclusions drawn by Symantec and Carbon Black researchers suggest that the evolution of DragonForce, marked by the use of a custom backdoor and advanced evasion techniques, indicates a shift from traditional ransomware-as-a-service models to a distinctly organized and structured operational cartel. In their assessment, this group stands out as one of the most proficient and relentless ransomware actors currently in operation.
Experts’ Comments
Cybersecurity experts have provided further insights into the implications of such infrastructure abuse on corporate security. Jason Soroko, Senior Fellow at Sectigo, elaborated on the operational mechanics, noting that Backdoor.Turn disguises command and control communications as business traffic by routing through Microsoft servers. This allows attacker activities to bypass security protocols that typically regard traffic associated with Microsoft domains as trustworthy.
Robert Coles, Senior Manager of Threat Intelligence Security at Black Duck, highlighted the evolving strategies of extortion groups, observing their investments in sophisticated techniques, bespoke tools, and BYOVD tactics for evading defenses. He emphasized that the nature of these attacks is shifting away from “smash-and-grab” ransomware models to approaches more akin to advanced, persistent threat actors.
Shane Barney, Chief Information Security Officer at Keeper Security, pointed out the risks inherent in organizational trust. He stated that Backdoor.Turn succeeds because organizations extend a level of implicit trust to collaborative infrastructures, such as Microsoft Teams, that would not typically be afforded to other systems. TURN servers, crucial for routing traffic in the event of failed direct connections, are generally treated as benign by security systems—a misconception that can be exploited.
(Image attribution: Photo by Jack B on Unsplash)