DragonForce Hid Ransomware C2 Inside Microsoft Teams for Two Months

A ransomware crew spent roughly two months inside a major U.S. services firm starting in December 2025, and the network monitoring tools saw nothing suspicious the entire time. The reason: every command from the attackers arrived disguised as legitimate Microsoft Teams traffic. Symantec's threat-research team published the findings on June 16, 2026, and the technique is novel enough that it warrants a close read even if you've been doing this a long time.

What Backdoor.Turn Actually Does

The tool at the center of this is Backdoor.Turn, a Go-based remote access trojan described by Symantec as the first malware family to weaponize Microsoft's TURN relay infrastructure. TURN — Traversal Using Relays around NAT — is the plumbing behind Teams audio and video calls. When a firewall or NAT device blocks a direct peer-to-peer connection, Teams routes traffic through Microsoft-operated relay servers.

Backdoor.Turn exploits that design in three steps. First, it silently requests an anonymous visitor token from Microsoft's Skype-backed identity services — a legitimate API call that requires no account. Second, it uses a real Microsoft TURN relay to establish a connection. Third, it runs a QUIC session through that relay to the attackers' actual C2 server. From any network monitoring tool's perspective, the only outbound traffic visible goes to legitimate Microsoft servers. The real C2 endpoint is completely hidden behind them.

Once connected, Backdoor.Turn is fully featured: remote command execution, process creation, network scanning, LDAP and Active Directory enumeration, credential-based lateral movement, and browser credential harvesting.

The Full Attack Chain

Initial compromise appears to have come through a vulnerability in an SQL or MSSQL server. From there, the attack followed a methodical playbook:

• Delivery: A PowerShell command dropped a ZIP archive disguised as a tech support hotfix, containing a legitimate VirtualBox executable paired with a malicious sideloaded DLL.
• Persistence: Registry modifications (LimitBlankPassword), new user/group additions, and firewall rule changes locked in long-term access.
• Defense evasion: The attackers deployed a Bring Your Own Vulnerable Driver (BYOVD) attack using four signed-but-vulnerable drivers — Huawei's HWAuidoOs2Ec.sys, Topaz Antifraud's wsftprm.sys (CVE-2023-52271), Tower of Fantasy's GameDriverX64.sys (CVE-2025-61155), and K7 Security's K7RKScan.sys (CVE-2025-1055) — to kill endpoint security processes at the kernel level. A custom malicious driver called ABYSSWORKER, masquerading as Palo Alto software, was also used.
• Exfiltration and encryption: After mapping the environment via LDAP and AD searches, the group staged data and deployed the DragonForce ransomware payload.
• Post-encryption persistence: Backdoor.Turn was injected into the legitimate DbgView64.exe process after encryption — ensuring re-entry even after a ransom payment and restore.

The one-to-two month dwell time is consistent with DragonForce's pattern. The group has claimed 579 confirmed victims on its data-leak site as of June 2026.

Why Your Perimeter Controls Won't Catch This

Backdoor.Turn renders network-layer detection nearly useless. Firewall logs, DNS monitoring, and traffic analysis all depend on spotting connections to suspicious destinations. If the destination is a legitimate Microsoft IP range, most tools either allowlist it or deprioritize the alert — because blocking Teams would halt the business.

QUIC, the UDP-based transport Teams uses for media, compounds the problem. Deep-packet inspection tools that handle TCP well often have limited visibility into QUIC streams. The combination of a trusted domain, trusted relay infrastructure, and an opaque transport protocol creates an almost perfect blind spot in standard network monitoring stacks.

This is also why the BYOVD stage matters. The attackers killed endpoint protection before deploying Backdoor.Turn — because a well-tuned EDR might have flagged the anomalous QUIC behavior from a sideloaded process. Remove the EDR first, and that last detection layer disappears.

What Small and Mid-Size Businesses Should Do Now

No single control stops this. A stack of controls makes it dramatically harder:

• Audit your driver inventory. BYOVD attacks load signed-but-vulnerable drivers. Microsoft's Vulnerable Driver Blocklist covers the drivers used here. Enable HVCI (Hypervisor-Protected Code Integrity) on Windows 11 and Server 2022+ — it blocks most BYOVD techniques at the hypervisor level. Ensure CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055 are addressed by updated blocklist policy.
• Lock down your SQL surfaces. The initial access appears to have come through an exposed SQL service. Database servers should never be reachable from the internet; VPN-only access and a current patch cadence are baseline.
• Deploy MFA on RDP, VPNs, and admin consoles. Credential-based lateral movement only works if stolen passwords are sufficient. MFA cuts that chain.
• Tune your EDR for process injection. An executable injecting into DbgView64.exe and initiating QUIC connections is a detectable pattern — if your EDR policies are configured to look for it. Vendor-default configs often aren't tuned this aggressively.
• Plan for post-ransom persistence. The backdoor was planted after encryption. Paying and restoring from backup does not evict a persistent implant. Any incident response needs a full forensic sweep before restored systems go back online.

At Falcon Internet, restores include environment integrity verification before anything comes back into production — the DragonForce case is a reminder of exactly why that step isn't optional.