Threat actors linked to the DragonForce ransomware operation have been observed using a custom Go based remote access trojan known as Backdoor.Turn to conceal command and control communications within Microsoft Teams relay infrastructure. The activity was identified by researchers from Symantec and Carbon Black, both owned by Broadcom, during an investigation involving a major U.S. services company whose identity was not disclosed. According to the researchers, the malware obtains an anonymous Microsoft Teams visitor token through Skype backed identity services and leverages a legitimate Microsoft TURN relay server to establish communications before creating a QUIC session with the attackers’ actual command and control infrastructure. As a result, network defenders monitoring the victim environment would only observe outbound traffic directed at legitimate Microsoft Teams servers, making the malicious activity significantly harder to detect. Researchers noted that the attackers maintained access to the targeted network for approximately one to two months without drawing attention to their covert operations.
The discovery represents the first publicly documented case of threat actors abusing Microsoft’s Traversal Using Relays around NAT infrastructure as part of a ransomware related intrusion. Investigators believe the attackers may have gained initial access by exploiting a vulnerability affecting either an SQL or Microsoft SQL server, although the exact flaw has not been identified. Another possibility is that access was acquired through an Initial Access Broker. Malicious activity within the compromised environment began in December 2025 when the attackers executed a PowerShell command to deploy a ZIP archive disguised as a technical support hotfix. The archive initiated a DLL side loading attack that launched a malicious dynamic link library designed to perform reconnaissance, establish persistence mechanisms, and disable security protections. To suppress defensive tools, the attackers deployed a Huawei driver identified as HWAuidoOs2Ec.sys. This approach relied on the bring your own vulnerable driver technique, a method increasingly used by ransomware groups to bypass security controls by exploiting legitimate but vulnerable drivers.
Researchers also uncovered evidence showing that DragonForce operators used several additional drivers to weaken endpoint protections, including wsftprm.sys associated with CVE 2023 52271, GameDriverX64.sys linked to CVE 2025 61155, K7RKScan.sys tied to CVE 2025 1055, and ABYSSWORKER, a custom malicious driver previously connected to Medusa ransomware attacks. One of the more notable aspects of the campaign was the execution of Backdoor.Turn after the DragonForce ransomware payload had already been deployed. The malware was injected into the legitimate DbgView64.exe process, suggesting that the attackers intended to maintain persistent access to compromised systems even after encryption activities were completed. Researchers believe this could allow the group to conduct future attacks, steal additional data, or potentially resell access to other cybercriminal actors. Backdoor.Turn itself supports a broad range of capabilities, including command execution, process creation, network scanning, Active Directory and LDAP searches, credential based lateral movement, and browser credential theft.
The malware’s communication mechanism is based on a stealth technique known as Ghost Calls, first documented by Praetorian in 2024. According to Symantec and Carbon Black, the backdoor requests a Teams visitor authentication token through Skype identity services and then interacts with Teams related infrastructure to establish outbound connectivity. During the setup process, a legitimate Microsoft TURN relay server is used to facilitate communication before the malware creates a direct QUIC connection with the malicious command and control server. Researchers said the campaign highlights DragonForce’s increasing use of sophisticated attack methods designed to evade detection while enabling covert data theft and long term access to victim networks. The findings are particularly significant as Hackledorb, the threat actor associated with DragonForce, has transitioned from a traditional ransomware as a service operation into a more structured cartel style organization. Symantec stated that the group’s activities after 2025 have demonstrated continuous capability development, with advanced techniques such as Backdoor.Turn and multi layered BYOVD evasion becoming defining characteristics of its operations. These developments reinforce DragonForce’s position among the more capable and persistent ransomware groups currently targeting enterprise environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
