Microsoft Teams Relay Servers Abused in DragonForce Ransomware Attack
Security WeekArchived Jun 17, 2026✓ Full text saved
The attackers deployed a new Go-based backdoor that uses Microsoft Teams servers for command-and-control. The post Microsoft Teams Relay Servers Abused in DragonForce Ransomware Attack appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
A new backdoor deployed as part of a recent DragonForce ransomware attack is using Microsoft Teams relay servers for command-and-control (C&C), according to Broadcom’s Symantec and Carbon Black threat hunter team.
The DragonForce group has been active since 2023, operating as a cartel structure and adopting highly advanced techniques in recent months, suggesting organizational maturity and significant resource allocation.
Tracked as Backdoor.Turn, the newly identified malware is written in Go and hides its C&C server communication as legitimate Microsoft Teams traffic in a sophisticated manner.
“Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real [C&C] server,” the threat hunters note.
According to the researchers, this appears to be the first malware family to abuse the TURN relay infrastructure in this way.
“It is relatively unusual to see ransomware attackers using their own custom tools, and it is particularly unusual to see them using a custom tool as sophisticated as Backdoor.Turn,” they note.
The custom backdoor was used in an attack on a US services firm, which was likely compromised through an unknown vulnerability in an SQL or MSSQL server. DragonForce operators might have purchased access to the company from an access broker.
According to Symantec and Carbon Black, the hackers accessed the victim network in December 2025, and relied on DLL sideloading to execute code that would fetch additional malware from remote servers.
The hackers established persistence, secured access to the compromised environment, conducted reconnaissance, and employed a sophisticated BYOVD strategy to exploit known flaws in signed drivers, thereby obtaining kernel-level access and terminating security processes.
They also deployed the DragonForce ransomware for data encryption and exfiltration, and the Backdoor.Turn malware to maintain persistence on the compromised systems after the ransomware is deployed.
The backdoor enables threat actors to execute commands, create processes, perform network scanning and LDAP/AD mapping, move laterally using stolen credentials, and exfiltrate credentials from the browsers installed on the infected systems.
“The attackers in this campaign use exceptionally sophisticated cyber tradecraft. The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors,” the researchers note.
Related: Ransomware Attack Shuts Down Mills of Australia’s Second-Largest Sugar Producer
Related: Ukrainian Man Pleads Guilty in US to Conti Ransomware Charges
Related: FBI: Cybercrime Losses Neared $21 Billion in 2025
Related: Threat Actor Connected to Play, RansomHub and DragonForce Ransomware Operations
WRITTEN BY
Ionut Arghire
Ionut Arghire is an international correspondent for SecurityWeek.
More from Ionut Arghire
Magnitude Emerges From Stealth Mode With $10 Million in Funding
Cybercrime Group Claims Novo Nordisk Hack
White House Issues Memo to Bolster NSS Cybersecurity
Atomic Arch Supply Chain Attack Hits 1,500 AUR Packages
Tech Coalition ‘Athena’ Targets OSS Vulnerabilities Ahead of Disclosure
NewCore Emerges From Stealth Mode With $66 Million in Funding
Ukrainian Man Pleads Guilty in US to Conti Ransomware Charges
ShinyHunters Claims Council of Europe Hack
Latest News
Rockwell Automation Patches Vulnerabilities in ICS Controllers and Software
Microsoft Working on Patch for ‘RoguePlanet’ Zero-Day
Oracle’s Second Monthly Security Updates Deliver 245 Patches
Chrome and Firefox Updated to Patch Critical, High-Severity Vulnerabilities
Joomla, LiteSpeed Vulnerabilities Exploited in Attacks
3 Recently Patched Fortinet FortiSandbox Vulnerabilities in Hacker Crosshairs
iRhythm Confirms Data Stolen in Hack
Hacker Conversations: Isira Adithya, the Evolution of an Ethical Hacker
Trending
Webinar: How Modern Breaches Bypass MFA And Evade Detection
June 17, 2026
Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes.
Register
Webinar: Modern Exposure Validation In The AI Era
June 24, 2026
AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program.
Register
People on the Move
Ann Barron-DiCamillo has been named Executive Vice President and Global Chief Information Security Officer at U.S. Bank.
Axonius has appointed Moshe Ben Simon as Chief Product Officer.
Stephen Garcia has been named Chief Information Security Officer at BreachRx.
More People On The Move
Expert Insights
After AI Reaches Production: 12 Ways Security Teams Can Take Control
Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb)
Everybody Is Vibe Coding But Nobody Told The Security Team
AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au)
The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure
AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor)
Raising The Cybersecurity Stakes: Ante Up For The Agentic Era
CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael)
Caught Off Guard: Securing AI After It Hits Production
As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb)
Flipboard
Reddit
Whatsapp
Email