Emerging ThreatsMalware & Ransomware

DragonForce Hackers Exploit Microsoft Teams to Conceal Backdoor Traffic

Analyst 207||Source: TheHackerNews
Person working on laptop with Microsoft Teams open in a brightly-lit office setting.
"Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control (C2) server," the Threat Hunter Team said in a report shared with The Hacker News.

How Backdoor.Turn hides inside Microsoft Teams relay infrastructure

Researchers at Broadcom-owned Symantec and Carbon Black documented a custom Go-based remote access trojan (RAT) — Backdoor.Turn — that leverages Microsoft Teams relay infrastructure to mask command-and-control activity. The malware requests an anonymous Teams visitor token from Skype-backed identity services, uses a legitimate Microsoft TURN relay during connection setup, and then establishes a QUIC session to the attackers’ C2 server. To network defenders observing traffic, the only outward evidence was connections to legitimate Microsoft Teams servers.

DragonForce, Hackledorb, and the operational context

Symantec and Carbon Black attribute the activity to threat actors associated with the DragonForce ransomware family. The companies report the victim was a major U.S. services firm; the organization’s name was not disclosed. The timeline shows initial malicious activity beginning in December 2025 and the attackers maintaining presence on the victim network for between one and two months. The reporting also notes that Hackledorb, the actor behind DragonForce, has moved from a ransomware-as-a-service model to a more formalized cartel structure, and that the group’s post-2025 activity reflects continuous capability development.

Attack chain observed on the victim network

According to the report, the intruders likely gained initial access by exploiting a vulnerability in an SQL or MS-SQL server, although the exact flaw was not identified; researchers also said initial access could have been purchased from an initial access broker (IAB). The first observed malicious action in December 2025 was a PowerShell command that dropped a ZIP archive disguised as a tech support hotfix. That ZIP launched a DLL side-loading attack which executed a rogue DLL to perform reconnaissance, establish persistence, and silence security software.

The backdoor was later executed by injecting it into the legitimate DbgView64.exe process after DragonForce ransomware had been deployed — an apparent attempt to maintain access to the host after the initial ransomware activity, either for follow-on intrusions or for resale.

Bring Your Own Vulnerable Driver (BYOVD) and other evasion techniques

Symantec and Carbon Black reported the use of a Huawei driver, HWAuidoOs2Ec.sys, to disable or evade security controls — a technique described as bring your own vulnerable driver (BYOVD). The report places that driver in a broader pattern: the same evasion approach has been used with other drivers and in other campaigns. The advisory lists additional drivers observed in similar activity, including wsftprm.sys (CVE-2023-52271), GameDriverX64.sys (CVE-2025-61155), K7RKScan.sys (CVE-2025-1055), and a custom malicious driver called ABYSSWORKER previously tied to Medusa ransomware attacks.

Ghost Calls, QUIC, and the technical lineage of the technique

Backdoor.Turn’s TURN-based mechanism builds on a stealth C2 technique called Ghost Calls, which Praetorian documented in August 2024. In this implementation, the malicious code uses Teams-associated infrastructure only for setting up the connection via a TURN relay; after that relay-assisted setup, the malware establishes a direct QUIC session to the attacker-controlled C2 server. The backdoor’s capabilities are broad and include command execution, process creation, network scanning, LDAP and Active Directory searches, credential-based lateral movement, and browser credential theft.

What this means for technologists, affected enterprises, and incident responders

  • Technologists and security teams: Expect to see C2 techniques that blend legitimate cloud services with direct-encrypted channels; detection approaches that rely solely on identifying connections to sanctioned cloud endpoints will miss the later QUIC sessions that carry malicious payloads.
  • Affected enterprises and procurement leaders: The case shows attackers using DLL side-loading and BYOVD drivers — enterprises should inventory driver usage and review any externally sourced binary or update mechanisms for similar risks.
  • Incident responders: The observed sequence — initial PowerShell drop, ZIP archive, DLL side-loading, rogue DLL reconnaissance, BYOVD persistence, plus post-ransomware process injection — underscores a multi-stage response requirement, including kernel-driver inspection and post-ransomware host recovery to detect latent backdoors injected into legitimate processes like DbgView64.exe.

The Symantec and Carbon Black findings sketch an intrusion that is both surgical and stealthy: legitimate Microsoft infrastructure is used to obfuscate setup, vulnerable drivers are repurposed to blunt defenses, and a post-ransomware injection preserves access for later use or resale. Key practical questions remain in the public record — notably the precise vulnerability that allowed initial access — but the documented elements already offer a concrete playbook for defenders to check against their own environments.

Original reporting: The Hacker News — DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

Command And ControlEmerging ThreatsNation-StateRemote Access TrojanMalware OperationsMicrosoft TeamsBackdoor.turnQUICTURN RelaySkype
Related Intelligence

Continue Reading

Healthcare worker standing near medical equipment with blurred records in foreground.

UK Watchdog Cautions Healthcare Worker Over Royal's Medical Records Breach

When trust in healthcare settings is broken and personal info is mishandled, swift action is taken - as seen in the ICO's recent decision to issue a formal caution to a former healthcare professional for misusing sensitive patient data. The watchdog is clear: people's personal info must be safe from exploitation.

Analyst 207
Hospital corridor with blurred patient room doors and a lone computer workstation.

INC Ransomware Targets 830+ Victims, Expands as Major RaaS Threat

The INC ransomware group has rapidly grown into a major threat, claiming over 830 victims since August 2023, with US organizations making up more than 65% of those affected. Sectors such as legal services, manufacturing, and healthcare are among the most targeted, as INC expands its reach as a prominent Ransomware as a Service (RaaS) operation.

Analyst 207
Person working at desk with laptop and smartphone, surrounded by clutter, in a dimly lit room with a large window.

Malware Campaign Exploits AI, Fake GitHub Stars to Spread Crypto Clipper

This sneaky malware uses AI and fake GitHub stars to spread a crypto clipper that can steal your cryptocurrency by swapping your wallet address with the attacker's - and it's been designed to harvest small, repeated thefts from over 15,500 cryptocurrency wallet addresses. The malware operates stealthily, watching your clipboard for crypto wallet addresses and replacing them with an attacker-controlled address.

Analyst 207
USB drive plugged into a laptop on a cluttered office desk with cityscape in background.

Microsoft Exposes Windows Clipper Malware Campaign Using USB Worm.

Microsoft's security team has uncovered a sneaky malware campaign that's been secretly stealing cryptocurrency from Windows users since February 2026, using a clever combination of a USB worm and a stealthy Tor-based command center. The malware, known as a Windows Clipper, uses Windows Script Host and ActiveX to launch a Tor proxy and communicate with its command center.

Analyst 207