DragonForce Ransomware Abuses Microsoft Teams TURN Relays in Sophisticated Attack In December 2025, the DragonForce ransomware group deployed a novel malware strain, Backdoor.Turn, to conceal command-and-control (C2) traffic within Microsoft Teams’ infrastructure. The attack targeted a major U.S. services company, leveraging a custom Go-based remote access trojan (RAT) to evade detection. The malware exploits Microsoft Teams’ Traversal Using Relays around NAT (TURN) protocol, which facilitates message delivery when direct client connections are unavailable. By obtaining an anonymous Teams visitor token and routing traffic through legitimate Microsoft TURN relays, Backdoor.Turn masks malicious communications as trusted network activity making it the first known in-the-wild malware to abuse this technique. DragonForce, active since at least 2023 and linked to the Scattered Spider threat group, employed a multi-stage attack chain. Initial access likely came via an unknown SQL/MSSQL server vulnerability, followed by the deployment of a ZIP archive containing a legitimate VirtualBox/DbgView executable and a malicious DLL for sideloading. Attackers then established persistence, created rogue user accounts, weakened Windows security policies, and modified firewall rules. To escalate privileges and disable defenses, the group used Bring Your Own Vulnerable Driver (BYOVD) tactics, exploiting multiple drivers, including: - Huawei’s HWAuidoOs2Ec.sys (Havoc Process Terminator) - Topaz Antifraud wsftprm.sys (CVE-2023-52271) - Tower of Fantasy GameDriverx64.sys (CVE-2025-61155) - K7 Security K7RKScan.sys (CVE-2025-1055) - A custom malicious driver, ABYSSWORKER, disguised as a Palo Alto driver. Backdoor.Turn was injected into DbgView64.exe, enabling capabilities such as command execution, process manipulation, network scanning, credential theft, and Active Directory reconnaissance. After exfiltrating data, the attackers deployed DragonForce ransomware, encrypting the victim’s systems. Symantec researchers described the campaign as employing "exceptionally sophisticated cyber tradecraft" and released indicators of compromise (IoCs) to aid detection. The incident underscores the growing abuse of trusted enterprise tools for covert C2 operations.