"Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams' TURN relay servers to mask command-and-control traffic," Symantec says.
Backdoor.Turn abuses Microsoft Teams TURN relays
Researchers at Symantec report a novel evasion technique in which a custom remote access trojan (RAT) — Backdoor.Turn — hides command-and-control (C2) communications inside Microsoft Teams relay infrastructure. The malware obtains an anonymous Teams visitor token and uses a legitimate Microsoft TURN relay during connection setup, which causes defender-observed traffic to be associated with Microsoft Teams rather than a malicious endpoint.
DragonForce attack chain observed in December 2025
Symantec traced the campaign to an attack against a major U.S. services company observed in December 2025. The intruders likely gained their initial foothold through exploitation of an unknown flaw in an SQL or MSSQL server. After the initial compromise the attackers downloaded a ZIP archive containing a legitimate VirtualBox/DbgView executable alongside a malicious DLL used for sideloading. The Backdoor.Turn RAT was injected into DbgView64.exe after the ransomware deployment, suggesting use for persistence or future access.
Bring Your Own Vulnerable Driver (BYOVD) tactics and driver list
To escalate privileges and terminate security tools, the attackers used Bring Your Own Vulnerable Driver (BYOVD) techniques. Symantec highlights exploitation and use of multiple drivers, including Huawei’s HWAuidoOs2Ec.sys (called "Havoc Process Terminator"), Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys (CVE-2025-1055). The campaign also employed ABYSSWORKER, a custom malicious driver masquerading as a legitimate Palo Alto driver. The report notes these steps were used to obtain kernel-level privileges and to terminate security tooling on the host.
Capabilities and impact: reconnaissance, exfiltration, ransomware
Symantec documents a full attack lifecycle. After establishing persistence and elevating privileges, the attackers strengthened access (creating rogue users, abusing the LimitBlankPassword security policy, and modifying firewall rules), performed reconnaissance, and used Backdoor.Turn to communicate with its C2 while blending that traffic into Teams relay traffic. The RAT's capabilities include command execution, process creation, network scanning, TLS certificate capturing, LDAP/Active Directory searching, website title collection, and browser credential theft. Symantec reports the intruders exfiltrated all data, deployed DragonForce ransomware, and encrypted the victim’s systems, and concludes that the hackers behind the campaign "use exceptionally sophisticated cyber tradecraft."
What this means for security teams, affected enterprises, and end users
- Security teams and technologists: Symantec published a complete list of indicators of compromise (IoCs) to help defenders catch and block such attacks. The technical detail in the report — anonymous Teams visitor token abuse, TURN relay usage during connection setup, and driver names/CVEs — provides specific artifacts to hunt for in logs and host telemetry.
- Affected enterprises and procurement leaders: The campaign demonstrates the operational risk from vulnerable or unsigned drivers and from the sideloading of legitimate executables. The attackers’ use of multiple drivers (including named CVEs) and a custom malicious driver highlights the need to account for BYOVD risks when procuring or permitting kernel-mode components.
- End users and incident responders: The RAT’s listed capabilities — notably browser credential theft and TLS certificate capture — underline why exfiltration and post-compromise access were part of the attack that preceded encryption. Incident teams will need to examine both network traffic associated with trusted services and host-level artifacts to detect similar techniques.
Symantec also places Backdoor.Turn in a small lineage of public research: Praetorian's 2025 "Ghost Calls" technique demonstrated that temporary TURN credentials for Teams and Zoom could be hijacked to create stealthy communication tunnels through conferencing infrastructure. Backdoor.Turn is the first known in-the-wild malware to put that concept into operational use against Microsoft Teams TURN relays.
The concrete record in Symantec’s write-up — an observed December 2025 intrusion against a major U.S. services company, the ZIP sideloading pattern, the enumerated drivers and CVEs, and the specific RAT capabilities — leaves defenders with named artifacts to hunt and a clear example of how trusted collaboration infrastructure can be repurposed for covert C2. Symantec has published IoCs to assist those searches.
