CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

The Hacker News Archived Jun 18, 2026 ✓ Full text saved

Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure. According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was

Full text archived locally
✦ AI Summary · Claude Sonnet


    DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic Ravie LakshmananJun 18, 2026Remote Access Trojan / Ransomware Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure. According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was not disclosed. "Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control (C2) server," the Threat Hunter Team said in a report shared with The Hacker News. "To network defenders, the only traffic they could see was outbound connections to legitimate Microsoft Teams servers. The attackers were on the victim network for between one and two months." The development marks the first publicly documented instance of the threat actors abusing Microsoft's Traversal Using Relays around NAT (TURN) relay infrastructure. It's suspected the threat actor obtained initial access by exploiting a vulnerability in either an SQL or MS-SQL server, although the exact nature of the flaw is unknown. It's also possible that the access was acquired from an initial access broker (IAB). Initial malicious activity on the victim network began in December 2025, with the attackers running a PowerShell command to drop a ZIP archive under the pretext of a tech support hotfix. The ZIP file responsible for launching a DLL side-loading attack, which then runs a rogue DLL to conduct reconnaissance, set up persistence, and silence security software using a Huawei driver ("HWAuidoOs2Ec.sys"). This is achieved by means of an attack technique called bring your own vulnerable driver (BYOVD) technique. The driver has been put to use in a large-scale malvertising campaign targeting U.S.-based individuals searching for tax-related documents, although this is said to have taken place after the ransomware incident. Some of the other drivers used for this purpose are listed below - wsftprm.sys (CVE-2023-52271) GameDriverX64.sys (CVE-2025-61155) K7RKScan.sys (CVE-2025-1055) ABYSSWORKER, a custom-built malicious driver previously observed in Medusa ransomware attacks What's notable about the attack is the execution of Backdoor.Turn by injecting it into the legitimate "DbgView64.exe" process after the DragonForce ransomware has been deployed. This suggests an attempt to maintain continued access to the compromised host for later attacks or reselling it for profit. Backdoor.Turn's underlying TURN-based mechanism leans on a stealthy C2 communication technique called Ghost Calls that was documented by Praetorian in August 2024. The backdoor supports a wide range of capabilities, including command execution, process creation, network scanning, LDAP and Active Directory search, credential-based lateral movement, and browser credential theft. "The backdoor requests a visitor token from the Microsoft Teams/Skype backend, uses that token to interact with Teams-associated infrastructure (TURN relay), and then establishes outbound connectivity," Symantec and Carbon Black explained. "It obtains a Teams visitor (anonymous) authentication token backed by Skype identity services. It then uses a legitimate Microsoft server as the TURN relay server during connection setup. After relay-assisted setup, the malware establishes a direct QUIC session to the C&C server, which is malicious." The findings paint a picture of a hacking group leaning on sophisticated cyber tradecraft to pull off high-impacted targeted attacks, while leaving victims in the dark about covert data exfiltration. This is particularly significant as Hackledorb, the threat actor behind DragonForce, has pivoted from a conventional ransomware-as-a-service (RaaS) model to a highly organized, formalized cartel structure. "The operational timeline reveals a pattern of continuous capability development, with the adoption of highly advanced techniques becoming a hallmark of their post-2025 activity," the company said. "The deployment of Backdoor.Turn, combined with their multi-vector BYOVD evasion, marks them as one of the most capable and persistent ransomware groups operating today." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  BYOVD, Carbon Black, Command and Control, DragonForce, Microsoft Teams, QUIC, ransomware, Remote Access Trojan, Symantec ⚡ Top Stories This Week Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Load More ▼ ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown [Watch Demo] See Which Security Gaps Attackers Could Exploit First
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗