"The attackers in this campaign use exceptionally sophisticated cyber tradecraft," researchers warned in the blog post.
Backdoor.Turn: a Go-based RAT hiding in Microsoft Teams TURN relays
Symantec and Carbon Black published an investigation on 16 June that describes a previously unseen backdoor the researchers call Backdoor.Turn. The backdoor is written in Go and abuses Microsoft Teams' TURN relay servers to mask command-and-control (C&C) traffic. According to the report, Backdoor.Turn first obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, then uses a legitimate Microsoft TURN relay to set up a connection and runs a QUIC transport layer session that links an infected endpoint to an attacker-controlled server.
Because the altered traffic presents as outbound connections to legitimate Microsoft Teams servers, researchers said security products see only normal Teams traffic while data is siphoned away by malicious actors.
DragonForce ransomware deployed against a major US services firm in 2025
The researchers reported that attackers deployed DragonForce ransomware on the network of a "major US services firm" in 2025. The campaign resulted in both data exfiltration and encryption of victim machines. Symantec and Carbon Black also noted that DragonForce has "become one of the most notorious ransomware groups of recent times," accounting for a significant percentage of incidents and having claimed several major retailers as victims.
There is no indication in the report as to whether the victim paid the ransom to obtain the decryption key or otherwise encouraged deletion of the data.
Use of an undocumented Huawei driver vulnerability and Huntress disclosure
Alongside Backdoor.Turn, the attackers exploited what the report describes as, at the time of the attack, an undocumented vulnerability in a Huawei driver to help mask their activity. That vulnerability was later detailed by Huntress in March 2026, according to the Symantec and Carbon Black account.
The report presents the exploitation of that driver bug as one component of a layered campaign that used multiple, complementary techniques to avoid detection.
Persistence and lateral movement: configuration changes, new accounts, and credential theft
To maintain long-term access, the attackers altered system configurations and local security controls. Actions documented in the report include removing the Limit Blank Password security setting to permit easier access to compromised machines, creating new user accounts to retain or expand access, and modifying firewall rules to ensure remote access and uninterrupted C&C communication.
Backdoor.Turn’s capabilities, as described by the researchers, included code execution, network scanning, credential-based lateral movement within the network and browser credential theft from compromised endpoints. Those capabilities, together with the configuration changes and the Teams-based C&C channel, allowed the attackers to gain and sustain remote access over weeks — the report estimates the intrusion may have persisted for up to two months before the ransomware was deployed.
Initial access and tradecraft: SQL/MSSQL vector and multi-vector BYOVD evasion
Symantec and Carbon Black believe the intrusion began when the attackers gained access by exploiting a vulnerability in either an SQL or MSSQL server. From that foothold, the campaign employed what the researchers termed "multi-vector BYOVD evasion" alongside the Teams-based C&C to remain hidden while conducting reconnaissance, credential collection and lateral movement.
In the researchers' words, the combination of Backdoor.Turn and these evasion techniques "marks them as one of the most capable and persistent ransomware groups operating today."
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: Expect C&C channels that deliberately mimic legitimate cloud application traffic; defenders will need to correlate endpoint telemetry and configuration changes (for example, Limit Blank Password modifications and new local accounts) with network flows that appear to target legitimate services.
- Policymakers and procurement leaders: The report highlights how vulnerabilities in widely used third-party drivers and server software can be chained into complex intrusions. The later public disclosure of the Huawei driver flaw by Huntress in March 2026 underlines the lag between exploitation and public detail.
- Affected enterprises and incident responders: The campaign demonstrates how long an attacker can remain operational on a network while hiding C&C in innocuous-looking traffic; detection and response playbooks should account for authentication tokens (the report cites anonymous Teams visitor tokens) and legitimate relays being repurposed as covert channels.
The Symantec and Carbon Black report lays out a clear operational pattern: initial server vulnerability exploitation, stealthy persistence aided by local configuration changes, credential theft and lateral movement, then final ransomware deployment. The question the report leaves on the record—whether the victim paid or otherwise resolved the extortion demand—remains unanswered, and the chain that allowed legitimate cloud infrastructure to be repurposed for covert C&C highlights a detection problem that defenders will need to address head-on.
