Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

DragonForce ransomware operators hid command-and-control traffic inside Microsoft Teams relay infrastructure using custom malware called Backdoor.Turn. The malware exploits the Traversal Using Relays around NAT (TURN) protocol that Teams uses to distribute messages when direct client connections are unavailable.

Symantec researchers identified the technique in an attack against a major U.S. services company in December 2025. Backdoor.Turn, a Go-based remote access trojan, is the first known malware to abuse Microsoft Teams' TURN relay servers for command-and-control communications.

"Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams' TURN relay servers to mask command-and-control traffic," Symantec said.

The malware obtains an anonymous Teams visitor token, connects through a legitimate Microsoft TURN relay server, and then establishes communication with the attacker's command-and-control server. Security teams see only traffic associated with Microsoft Teams infrastructure, which lets the malware blend into trusted network patterns.

Praetorian demonstrated a related technique in 2025 called Ghost Calls, which showed how temporary TURN credentials for Teams and Zoom could hijack conferencing infrastructure for stealthy communication tunnels. Backdoor.Turn is the first implementation of this approach in a live attack.

Attack chain

The attack began with the exploitation of an unknown flaw in an SQL or MSSQL server, Symantec said. The attacker downloaded a ZIP archive containing a legitimate VirtualBox/DbgView executable and a malicious DLL file used for sideloading.

From there, the attacker created rogue users, exploited the LimitBlankPassword security policy in Windows for easy access, and modified firewall rules to maintain persistence.

The attacker then used Bring Your Own Vulnerable Driver (BYOVD) techniques with multiple drivers to obtain kernel-level privileges and terminate security tools. Drivers included Huawei's HWAuidoOs2Ec.sys (dubbed "Havoc Process Terminator"), Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys (CVE-2025-1055). The attacker also deployed ABYSSWORKER, a custom malicious driver masquerading as a legitimate Palo Alto driver.

After completing reconnaissance and evading defenses, the attacker exfiltrated all data and deployed DragonForce ransomware to encrypt the victim's systems.

DragonForce has operated since at least 2023 and adopted a cartel-style organizational structure. The group has been linked to the Scattered Spider threat group.

Backdoor.Turn capabilities

The RAT was injected into DbgView64.exe after deploying the ransomware, suggesting it was intended for persistence or future access. Its capabilities include:

• Command execution and process creation
• Network scanning
• TLS certificate capturing
• LDAP and Active Directory searching
• Website title collection
• Browser credential theft

Symantec published a complete list of indicators of compromise to help defenders detect and block similar attacks.

Defending against Teams-based C2

The technique highlights a growing trend of attackers abusing legitimate collaboration tools for command-and-control communications. Traditional network monitoring tools often classify Teams traffic as trusted, which gives malware using these channels an advantage.

Defenders should monitor for unusual patterns in Teams traffic, including connections from unexpected IP ranges or unusual volumes of relay traffic. Endpoint detection tools that inspect process behavior rather than relying solely on network signatures can catch injected processes like DbgView64.exe.

Organizations should also apply BYOVD protections by blocking known vulnerable drivers and monitoring for kernel-level driver installations.