DragonForce Ransomware Exploits Microsoft Teams Relays to Conceal Malicious Command-and-Control Traffic
- Jun 18
- 3 min read
Key Findings
DragonForce ransomware operators deployed Backdoor.Turn, a custom Go-based remote access trojan that conceals command-and-control traffic within Microsoft Teams relay infrastructure
This marks the first publicly documented abuse of Microsoft's TURN relay servers by threat actors
Attackers maintained network access for one to two months while evading detection by routing malicious traffic through legitimate Microsoft servers
The group employed sophisticated defense evasion techniques including DLL sideloading, bring-your-own-vulnerable-driver (BYOVD) attacks, and exploitation of multiple driver vulnerabilities
DragonForce has evolved from a ransomware-as-a-service model to a highly organized cartel structure with advanced cyber tradecraft capabilities
Background
DragonForce ransomware operators compromised a major U.S. services firm in December 2025. Researchers from Broadcom-owned Symantec and Carbon Black attribute the initial compromise to exploitation of an unknown SQL or MSSQL server vulnerability, though initial access from a broker cannot be ruled out. The attackers maintained presence on the victim network for between one and two months before deploying ransomware and installing persistent backdoor access.
Backdoor.Turn Technical Operation
Backdoor.Turn represents a novel approach to command-and-control obfuscation. The malware requests an anonymous Teams visitor token from Microsoft's Skype identity services, then leverages legitimate Microsoft TURN relay servers to establish initial connectivity. Once the relay-assisted setup completes, it establishes a direct QUIC session to the attacker's command-and-control infrastructure. To network defenders, all observable traffic appears as routine outbound connections to legitimate Microsoft Teams servers.
The backdoor supports extensive operational capabilities including command execution, process creation, network scanning, LDAP and Active Directory queries, credential-based lateral movement, and browser credential theft. Its functionality suggests deployment for maintaining continued access beyond the ransomware deployment for potential data exfiltration or network resale.
Attack Chain and Defense Evasion
Initial compromise leveraged a PowerShell command to deploy a ZIP archive disguised as a tech support hotfix. This archive executed a DLL sideloading attack using legitimate VirtualBox executables to load malicious DLL payloads, allowing code execution through trusted processes. The operators then employed BYOVD techniques to disable security software by exploiting vulnerable legitimate drivers including a Huawei audio driver and multiple publicly disclosed driver vulnerabilities.
The attackers modified firewall rules and system settings to establish persistence and prepare the environment. After approximately one to two months of reconnaissance and lateral movement, they deployed DragonForce ransomware while simultaneously injecting Backdoor.Turn into the legitimate DbgView64.exe process to maintain post-encryption access.
Vulnerable Drivers Exploited
The attackers utilized multiple vulnerable drivers to achieve kernel-level access and disable security controls. These included CVE-2023-52271 in Topaz Antifraud, CVE-2025-61155 in Tower of Fantasy, and CVE-2025-1055 in K7 Security Anti-Malware. Additionally, they deployed ABYSSWORKER, a custom-built malicious driver previously associated with Medusa ransomware attacks. The Huawei driver exploitation was facilitated through a custom tool called Havoc Process Terminator.
Implications for Enterprise Security
The attack demonstrates a fundamental challenge for enterprise defense: implicit organizational trust in collaboration platforms. Security tools and firewalls typically treat Microsoft Teams traffic as benign, creating a blind spot for detection systems. By routing malicious communications through this trusted infrastructure, attackers bypass conventional network monitoring while maintaining operational flexibility.
The tactics reflect DragonForce's transition to a more formalized cartel structure with continuous capability development. Security researchers assessed the group as among the most capable and persistent ransomware operations active today, characterized by investment in custom tooling, advanced defense evasion, and sophisticated infrastructure abuse techniques.
Sources
https://thehackernews.com/2026/06/dragonforce-hackers-abuse-microsoft.html
https://hackread.com/dragonforce-ransomware-microsoft-teams-malware/
https://www.scworld.com/brief/dragonforce-ransomware-uses-microsoft-teams-for-covert-command-and-control
https://www.security.com/blog-post/dragonforce-msteams-backdoor
https://www.securityweek.com/microsoft-teams-relay-servers-abused-in-dragonforce-ransomware-attack
https://www.linkedin.com/posts/the-cyber-security-hub_ransomware-gang-abuses-microsoft-teams-relays-activity-7472664316324974592-al2q

Comments