DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

June 18, 2026 discoverhiddenusacom Technology

Threat actors linked to the DragonForce ransomware group are using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to bypass security monitoring by tunneling traffic through legitimate Microsoft Teams relay infrastructure. According to a report by Symantec and Carbon Black, the group successfully maintained persistence within a major U.S. services firm for up to two months by masking command-and-control (C2) communications as routine Microsoft TURN relay traffic.

How Backdoor.Turn Exploits Microsoft Infrastructure

Backdoor.Turn operates by leveraging Microsoft’s own Traversal Using Relays around NAT (TURN) relay servers to hide malicious traffic. As detailed by the Threat Hunter Team at Symantec and Carbon Black, the malware first requests an anonymous visitor token from Microsoft’s Skype-backed identity services. This token allows the backdoor to establish a connection through a legitimate Teams relay server, effectively blending in with standard business communication traffic.

Once the relay connection is established, the malware initiates a QUIC session directly to the attacker’s C2 server. Because the outbound traffic appears to originate from and terminate at trusted Microsoft endpoints, traditional network security tools often fail to flag the activity. This technique relies on the “Ghost Calls” methodology, a stealthy communication protocol first documented by Praetorian in August 2024.

Did you know?
The use of Microsoft Teams infrastructure for C2 traffic is a significant escalation in cyber espionage. By mimicking common enterprise collaboration tools, attackers force defenders to choose between blocking essential business services or leaving their networks vulnerable to sophisticated exfiltration.

The Evolution of DragonForce’s Tactics

The deployment of Backdoor.Turn signals a strategic shift for the threat actor Hackledorb, the entity behind DragonForce. Historically a conventional Ransomware-as-a-Service (RaaS) operation, the group has transitioned into a highly organized cartel structure. Symantec and Carbon Black note that this evolution includes the adoption of “bring your own vulnerable driver” (BYOVD) techniques to disable security software.

The Evolution of DragonForce’s Tactics

In the documented attack, the threat actors injected Backdoor.Turn into the legitimate DbgView64.exe process. By using a malicious Huawei driver (HWAuidoOs2Ec.sys) to silence security agents, the group maintained reconnaissance and credential-theft capabilities long after the initial ransomware deployment. This dual-threat approach—combining ransomware for immediate impact with a stealthy RAT for long-term intelligence gathering—highlights a move toward more persistent, multi-stage cyber campaigns.

What Are the Risks of BYOVD Attacks?

Bring Your Own Vulnerable Driver (BYOVD) attacks allow threat actors to gain kernel-level privileges by loading legitimate, yet flawed, drivers onto a victim’s system. Once the driver is loaded, attackers can use it to bypass Endpoint Detection and Response (EDR) solutions. According to the Symantec report, DragonForce used these drivers to ensure their malicious processes remained undetected during the reconnaissance phase of their attack.

Pro Tips for Network Defense

  • Monitor Outbound Traffic: Look for unusual volumes of traffic directed at Microsoft relay servers that do not correspond with actual internal Teams usage.
  • Audit Driver Loads: Implement strict policies to prevent the loading of unsigned or known vulnerable drivers at the kernel level.
  • Behavioral Analysis: Focus on process injection patterns, such as the unauthorized modification of diagnostic tools like DbgView64.exe.

Frequently Asked Questions

How does Backdoor.Turn hide its traffic?

It uses legitimate Microsoft TURN relay servers to obfuscate its connection, making malicious C2 traffic appear as normal Microsoft Teams data flow to network security monitors.

Microsoft Teams TURN Relay Abuse — Your Meeting Is the Backdoor

What is the “Ghost Calls” technique?

Documented by Praetorian in 2024, it is a method of using real-time communication infrastructure to tunnel C2 traffic, rendering traditional network-based detection ineffective.

What is the "Ghost Calls" technique?

What is the primary goal of the DragonForce group?

According to researchers, the group has moved toward a cartel-like structure, prioritizing long-term persistence and credential theft alongside traditional ransomware deployment.

Can BYOVD attacks be prevented?

Yes, by maintaining an updated blocklist of known vulnerable drivers and utilizing hardware-backed security features like Memory Integrity in Windows to prevent unauthorized kernel-mode code execution.

Stay ahead of emerging threats by subscribing to our weekly security intelligence newsletter. Have you observed similar suspicious activity in your environment? Share your findings in the comments below.