CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 16, 2026

Hackers Weaponize Microsoft Teams Relay to Hide Ransomware Traffic

Cybersecurity News Archived Jun 16, 2026 ✓ Full text saved

Hackers are increasingly abusing trusted cloud services to evade detection, and a newly uncovered campaign demonstrates how Microsoft Teams infrastructure can be weaponized to hide malicious traffic. According to the Symantec Threat Hunter Team, a new Go-based remote access Trojan (RAT) named Backdoor.TURN leverages Microsoft Teams TURN relay servers to disguise command-and-control (C2) communications as legitimate […] The post Hackers Weaponize Microsoft Teams Relay to Hide Ransomware Traffic a

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Weaponize Microsoft Teams Relay to Hide Ransomware Traffic By Guru Baran June 16, 2026 Hackers are increasingly abusing trusted cloud services to evade detection, and a newly uncovered campaign demonstrates how Microsoft Teams infrastructure can be weaponized to hide malicious traffic. According to the Symantec Threat Hunter Team, a new Go-based remote access Trojan (RAT) named Backdoor.TURN leverages Microsoft Teams TURN relay servers to disguise command-and-control (C2) communications as legitimate enterprise activity. The campaign is linked to a DragonForce ransomware attack targeting a major U.S. services firm, during which attackers remained undetected for up to 2 months. As reported by Symantec, instead of directly communicating with attacker-controlled infrastructure, the malware routes traffic through Microsoft’s own servers, making it appear as normal outbound connections to Teams services. Backdoor. Turn operates by requesting an anonymous visitor token from Microsoft’s Skype-backed identity services. Hackers Weaponize Microsoft Teams As highlighted by Symantec researchers, the malware uses this token to authenticate with Teams infrastructure and establish a relay session via TURN servers. Once the connection is established, it initiates a QUIC session with the real C2 server. This technique ensures that network defenders only observe traffic to legitimate Microsoft domains, effectively masking malicious activity. The initial access vector remains unclear, but Symantec analysis suggests the attackers likely exploited an unknown SQL or MSSQL server vulnerability or obtained access through an initial access broker. Attack chain (Source: Symantec ) The intrusion began in December 2025, after which the attackers deployed a malicious ZIP archive containing a legitimate VirtualBox executable and a weaponized DLL. Through DLL sideloading, malicious code was executed under a trusted process, enabling stealthy persistence. Following execution, the attackers carried out reconnaissance, credential harvesting, and lateral movement across the network. They also modified firewall rules, created additional user accounts, and adjusted system settings to maintain long-term access. Symantec noted that these changes were designed to ensure resilience and uninterrupted C2 communication. A key highlight of the campaign is its advanced defense evasion strategy. The attackers used a Bring Your Own Vulnerable Driver (BYOVD) technique to turn off security tools at the kernel level. Notably, Symantec researchers observed a novel exploitation of the Huawei driver HWAuidoOs2Ec.sys, described as a “Havoc Process Terminator.” Additional drivers linked to CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055 were also abused. The attackers further deployed a custom malicious driver, Abyss Worker, disguised as a legitimate Palo Alto driver, to terminate security processes. The Backdoor.Turn payload was injected into the legitimate DbgView64.exe process and deployed after ransomware execution. According to Symantec Threat Hunter Team, this suggests the malware may be used for persistence or to enable future access, potentially for resale to other threat actors. The Backdoor supports capabilities such as remote command execution, Active Directory enumeration, network scanning, credential theft, and lateral movement. The technique is inspired by the “Ghost Calls” research presented at Black Hat 2025, which demonstrated how web conferencing platforms could be abused for covert communication. However, Symantec emphasized that this is the first known real-world case of Microsoft Teams TURN relay infrastructure being used in this manner. DragonForce, active since 2023 and tracked by Symantec as Hackledorb, has evolved into a highly structured and sophisticated threat group. Its use of trusted cloud infrastructure combined with novel exploitation techniques highlights a growing trend in modern cyberattacks. As noted by the Symantec Threat Hunter Team, blending malicious traffic with legitimate services significantly reduces defenders’ visibility, underscoring the need for behavioral detection and stricter controls over vulnerable drivers and enterprise communication platforms. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Cybercriminals Abuse Chinese-Language Guarantee Marketplaces to Trade Stolen Credentials ServiceNow Confirms Vulnerability Allowing Unauthorized Access to Customer Instance Tables OceanLotus APT Compromises FireAnt MetaKit in Supply-Chain Attack on Stock Investors Critical Langflow Vulnerability Exploited to Execute Malicious Code Interlock and Rhysida Ransomware Operations Share Supper Backdoor and Malware Codebase Latest News Press Release AppViewX Launches Agent Identity Security to Govern Agents for the AI and Quantum Era Press Release Developer laptops are the credential store attackers are picking through in 2026, GitGuardian announces Endpoint Protection Cyber Security News Interlock and Rhysida Ransomware Operations Share Supper Backdoor and Malware Codebase Cyber Security Novo Nordisk Confirms Cyber Attack — Hackers Accessed Patient Medical Data and Internal AI Assets Cyber Security News Russian and Chinese Influence Actors Use AI to Evade Bot Detection and Mimic Human Behavior
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 16, 2026
    Archived
    Jun 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗