CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 16, 2026

DragonForce Ransomware Exploited Microsoft Teams to Hide in Attack Against Major Company

Infosecurity Magazine Archived Jun 16, 2026 ✓ Full text saved

Command and control traffic exploited a Teams visitor token to make malicious activity look legitimate to defenders

Full text archived locally
✦ AI Summary · Claude Sonnet


    A notorious ransomware group secretly infiltrated the network of a major company for up to two months by hiding command and control (C&C) traffic in Microsoft Teams, before unleashing their attack, researchers have warned. The investigation report, published by Symantec and Carbon Black on 16 June, warned that attackers deployed DragonForce ransomware on the network of a “major US services firm.” The cybercriminals used a Go-based Remote Access Trojan (RAT) to abuse Microsoft Teams' TURN relay servers and mask command-and-control traffic. The backdoor, which researchers dubbed Backdoor.Turn, altered the traffic so all defenders could see was outbound connections to legitimate Microsoft Teams servers. Backdoor.Turn was used to obtain an anonymous Teams visitor token from Microsoft’s Skype-backed identity services before using a legitimate Microsoft TURN relay to set up a connection. The attackers then ran a QUIC transport layer network protocol session which linked the infected machine to an attacker-controlled server. The attackers also deployed what, at the time of the attack, was as an undocumented vulnerability in a Huawei driver to help mask their activity. The vulnerability was later detailed by Huntress in March 2026. To help maintain persistence on the network the attackers altered configurations and systems. This included removing the Limit Blank Password security setting to allow for easy access to the compromised machines, creating new user accounts to maintain or gain additional access and modifying firewall rules to facilitate remote access and ensure C&C communication remained unhindered. Read more: Why Ransomware Remains One of Cybersecurity’s Most Persistent and Costly Threats These capabilities, combined with the capabilities of Backdoor.Turn – code execution, network scanning, credential-based lateral movement within the network and browser credential theft from compromised endpoints - allowed the attackers to secretly gain remote access to the network overtime. All of this was abetted by stealthily hiding in C&C traffic in Microsoft Teams. “The attackers in this campaign use exceptionally sophisticated cyber tradecraft. The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors,” researchers warned in the blog post. This incident took place in 2025, and the attackers were able to deploy DragonForce ransomware to exfiltrate data and encrypt the victim machines. There is no indication as to whether the victim paid the ransom to obtain the decryption key or encouraged the attackers to delete the data. Researchers believe the attack started when the attackers gained access to the victim network by exploiting a vulnerability in either an SQL or MSSQL server. DragonForce has become one of the most notorious ransomware groups of recent times, accounting for a significant percentage of incidents and the group has claimed several major retailers as victims. “The deployment of Backdoor.Turn, combined with their multi-vector BYOVD evasion, marks them as one of the most capable and persistent ransomware groups operating today,” researchers warned.
    💬 Team Notes
    Article Info
    Source
    Infosecurity Magazine
    Category
    ◇ Industry News & Leadership
    Published
    Jun 16, 2026
    Archived
    Jun 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗