Threat actors associated with the DragonForce ransomware group have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure. According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm, the name of which was not disclosed.
Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real C2 server. To network defenders, the only traffic visible was outbound connections to legitimate Microsoft Teams servers. The attackers remained on the victim network for between one and two months.
This marks the first publicly documented instance of threat actors abusing Microsoft’s Traversal Using Relays around NAT (TURN) relay infrastructure. Initial access is suspected to have been gained by exploiting a vulnerability in either an SQL or MS-SQL server, though the exact flaw is unknown. Alternatively, access may have been acquired from an initial access broker (IAB).
Initial malicious activity began in December 2025, with attackers running a PowerShell command to drop a ZIP archive under the pretext of a tech support hotfix. The ZIP file launched a DLL side-loading attack, running a rogue DLL to conduct reconnaissance, set up persistence, and silence security software using a Huawei driver (HWAuidoOs2Ec.sys) via a bring your own vulnerable driver (BYOVD) technique. Other drivers used include wsftprm.sys (CVE-2023-52271), GameDriverX64.sys (CVE-2025-61155), K7RKScan.sys (CVE-2025-1055), and ABYSSWORKER, a custom malicious driver previously observed in Medusa ransomware attacks.
Notably, Backdoor.Turn was executed by injecting it into the legitimate DbgView64.exe process after DragonForce ransomware was deployed, suggesting an attempt to maintain continued access for later attacks or resale. The backdoor supports command execution, process creation, network scanning, LDAP and Active Directory search, credential-based lateral movement, and browser credential theft.
The findings highlight DragonForce’s shift from a conventional ransomware-as-a-service (RaaS) model to a highly organized cartel structure, with advanced techniques becoming a hallmark of their post-2025 activity.
CVEs: CVE-2023-52271, CVE-2025-61155, CVE-2025-1055, CVE-2026-11645
Attack groups: DragonForce, Hackledorb, Medusa ransomware
Malware: Backdoor.Turn, ABYSSWORKER
Companies: Microsoft, Broadcom, Symantec, Carbon Black, Huawei, Praetorian
Products: Microsoft Teams, DbgView64
Original source: thehackernews.com