"The attackers in this campaign use exceptionally sophisticated cyber tradecraft," Symantec said.
Symantec's timeline: two months of concealed activity in a major US services company's network
Researchers at Symantec reported that operators tied to DragonForce ransomware gained initial access to a major US services company's environment, then spent roughly two months conducting follow-on activity while masking their command-and-control (C2) traffic as legitimate Microsoft Teams communications. Symantec said the intrusion began with access to the victim's environment and that the attackers deployed a custom Go-based backdoor Symantec tracks as "Backdoor.Turn" to maintain communication with compromised systems.
Backdoor.Turn: requesting anonymous tokens, using a Microsoft-operated TURN relay, then QUIC to a malicious C2
According to Symantec, Backdoor.Turn first requests an anonymous visitor token from Microsoft Teams and Skype back-end services. The backdoor then uses a Microsoft-operated TURN relay server — infrastructure typically used to help establish communications between legitimate users — before establishing a direct QUIC connection to a malicious command-and-control server. Symantec said this is the first known case of malware using this particular technique.
Symantec warned that because the configuration routes C2 over what appears to be legitimate Teams traffic, security products only see traffic going to legitimate Teams servers. "The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors," the firm said.
DragonForce, persistence, and resale of network access
Symantec reported that attackers installed Backdoor.Turn on systems after deploying DragonForce ransomware. The firm noted that the backdoor could give operators "a way back into compromised networks or access they could later sell to other criminals." Symantec also said DragonForce operates a ransomware-as-a-service model that allows affiliates to conduct attacks under the DragonForce banner and that the operation has become increasingly prominent over the past year.
The report added that DragonForce has been linked to the Scattered Spider group, which Symantec described as "prolific" and associated with a string of high-profile intrusions, including attacks targeting major retailers in the UK.
What this means for technologists, regulators, and major US services companies
- Technologists and security teams: Symantec's findings highlight that C2 channels can be routed through trusted collaboration infrastructure; teams will likely need to consider that traffic to Microsoft Teams servers may include non‑Teams activity and look for behavioral indicators beyond destination alone.
- Policymakers and regulators: The use of a Microsoft-operated TURN relay to mask malicious traffic underscores a regulatory question about how attacker abuse of third-party cloud and communications services is detected and mitigated while preserving legitimate service functions.
- Major US services companies and incident responders: Symantec's account that Backdoor.Turn was installed after a ransomware deployment — potentially to preserve access or to sell it — will concern organizations that face extortion events, since a ransomware incident may not mark the end of an intrusion.
Conclusion: trusted platforms as a concealment layer and the unanswered operational questions
Symantec's analysis documents a clear tactical shift: attackers used Teams-related infrastructure and a Microsoft-operated TURN relay as a concealment layer, then pivoted to a QUIC link to a malicious C2. The firm did not identify the victim beyond "a major US services company," nor did it say whether this Teams-based channel has appeared in other DragonForce incidents. That leaves two practical questions front and center for defenders: how to distinguish genuine collaboration traffic from covert C2 when destinations are legitimate, and how to triage incidents where ransomware deployment may be followed by stealthy persistence mechanisms.
