Listen to this Post
Introduction: When Trusted Collaboration Tools Become Cyber Weapons
In a world where Microsoft Teams is trusted for meetings, file sharing, and corporate communication, the idea that it could be quietly exploited as a covert channel for ransomware operations feels unsettling. Yet this is exactly what cybersecurity researchers have uncovered. A ransomware group known as DragonForce has been observed using a custom Go-based malware called “Backdoor.Turn” to hide command-and-control (C2) traffic inside Microsoft Teams relay infrastructure. What appears to defenders as legitimate Teams traffic may actually be a hidden pipeline feeding attackers direct control over compromised systems.
Summary of the Attack: Trust Abuse at Cloud Scale
The DragonForce ransomware operation, active since at least 2023, has evolved into a highly structured cyber cartel with links to the Scattered Spider threat ecosystem. In a recent campaign targeting a major U.S. services company, attackers used a sophisticated backdoor to exploit Microsoft Teams’ TURN relay system, a mechanism designed to maintain connectivity when direct peer-to-peer communication fails. By abusing this infrastructure, the malware disguised its C2 communications as legitimate Microsoft traffic, making detection significantly harder for defenders.
Initial Access: Breaking in Through Enterprise Weak Points
The intrusion reportedly began with exploitation of a possible SQL or MSSQL server vulnerability. Once inside the network, attackers deployed a ZIP archive containing a legitimate tool (VirtualBox/DbgView executable) alongside a malicious DLL used for sideloading. This allowed them to execute code under the guise of trusted software, strengthening persistence and reducing suspicion.
Establishing Control: Persistence and System Manipulation
After gaining a foothold, DragonForce operators escalated privileges and embedded themselves deeper into the system. They created rogue user accounts, modified Windows firewall rules, and weakened security policies such as LimitBlankPassword, which allowed easier unauthorized access. These steps ensured that even if partial detection occurred, the attackers would retain multiple access paths into the environment.
Kernel-Level Domination: BYOVD Exploitation
A critical phase of the attack involved Bring Your Own Vulnerable Driver (BYOVD) techniques. The attackers leveraged multiple vulnerable drivers including Huawei’s HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys (CVE-2025-1055). In addition, a custom malicious driver called ABYSSWORKER disguised itself as a legitimate Palo Alto component. These drivers enabled kernel-level execution, allowing attackers to disable security tools and gain near-total system control.
The Core Innovation: Backdoor.Turn Hidden in Microsoft Teams Traffic
The standout element of this campaign is Backdoor.Turn, a Go-based remote access trojan. It abuses Microsoft Teams’ TURN relay infrastructure by obtaining an anonymous Teams visitor token and routing communications through legitimate Microsoft relay servers. Instead of connecting directly to a suspicious IP address, the malware blends its traffic into trusted Microsoft cloud communication streams. As a result, defenders observing network logs see nothing unusual—only Microsoft Teams-related traffic.
Capabilities of the Malware: Full System Surveillance
Once active, Backdoor.Turn provides attackers with extensive control over compromised systems. Its capabilities include command execution, process creation, network scanning, LDAP and Active Directory reconnaissance, TLS certificate harvesting, website title collection, and browser credential theft. This transforms the malware into a full intelligence-gathering platform before ransomware deployment.
Data Theft and Ransomware Deployment
Before encryption begins, attackers conduct systematic data exfiltration. Sensitive corporate data is extracted while remaining hidden within trusted network flows. After reconnaissance and extraction, DragonForce ransomware is deployed, encrypting critical systems and disrupting business operations. This dual-extortion model increases pressure on victims to pay ransom demands.
Research Context: The Evolution of Stealth Communication
Security researchers note that this technique builds on earlier research such as “Ghost Calls,” a concept demonstrating how TURN credentials from services like Teams and Zoom can be hijacked for covert communication channels. While Ghost Calls remained a theoretical demonstration in 2025, Backdoor.Turn represents the first real-world deployment of such a technique in active ransomware operations.
Strategic Insight: Why This Attack Is Dangerous
What makes this attack particularly concerning is not just the ransomware itself, but the abuse of trusted cloud infrastructure. By embedding malicious traffic inside Microsoft Teams relay systems, attackers bypass traditional detection systems that rely on IP reputation and anomaly-based filtering. This shifts the battlefield from endpoint security to cloud trust exploitation.
What Undercode Say:
The attack demonstrates a shift from endpoint exploitation to cloud-native abuse.
Microsoft Teams infrastructure becomes an unintended covert communication layer.
TURN protocol abuse indicates rising misuse of collaboration tools.
DragonForce is evolving into a hybrid ransomware intelligence operation.
BYOVD techniques remain one of the most dangerous privilege escalation methods.
Kernel-level access ensures long-term persistence even after partial cleanup.
Security tools relying on traffic reputation become less effective.
Anonymous Teams visitor tokens introduce unexpected attack surface risks.
Legitimate infrastructure is now part of attacker stealth strategy.
Detection requires behavioral analytics rather than signature-based methods.
MSSQL exploitation remains a common initial entry vector.
Sideloading trusted executables is still highly effective in enterprise breaches.
Rogue user creation shows privilege abuse at early stages.
Firewall rule modification indicates defensive dismantling strategy.
Security policy weakening is used for silent persistence.
Multiple driver exploitation increases attack resilience.
ABYSSWORKER shows evolution of custom kernel tooling.
Teams relay abuse hides C2 within enterprise collaboration traffic.
Attackers rely heavily on trusted cloud ecosystems.
Traditional SIEM alerts may fail to detect such blended traffic.
LDAP scanning indicates Active Directory targeting priority.
Credential harvesting expands lateral movement capability.
TLS certificate capture suggests deep network interception.
Browser credential theft enables external account compromise.
Data exfiltration occurs before encryption for maximum leverage.
Dual-extortion increases ransom pressure significantly.
Cartel-style ransomware groups increase operational complexity.
Scattered Spider linkage suggests shared tooling or tactics.
Cloud infrastructure abuse will increase in future campaigns.
TURN protocol misuse could affect multiple platforms beyond Teams.
Security teams must monitor token-based authentication flows.
Driver vulnerability patching remains critical defensive layer.
Kernel protection mechanisms need stronger enforcement.
Threat actors are blending legitimate SaaS services into C2 channels.
Network visibility blind spots are being actively exploited.
Enterprises must reassess trust assumptions in SaaS traffic.
Behavioral anomaly detection is becoming essential.
Endpoint isolation alone is insufficient defense.
Cloud relay systems are emerging attack infrastructure vectors.
Future ransomware will likely expand deeper into collaboration ecosystems.
❌ DragonForce ransomware has been active since at least 2023 and is linked to advanced cybercriminal ecosystems, making this claim consistent with known threat intelligence.
✅ Abuse of legitimate cloud infrastructure such as Microsoft Teams TURN relays is technically feasible and aligns with documented research into communication channel abuse techniques.
❌ “Backdoor.Turn” is identified as the first known real-world malware using Teams TURN relays, which is currently supported by Symantec reporting but may evolve as further research emerges.
Prediction:
(+1) Increased adoption of cloud relay abuse techniques
Attackers will likely expand similar methods across Teams, Zoom, and other collaboration platforms as organizations continue to trust SaaS traffic by default. ☁️
(+1) Growth in kernel-level BYOVD exploitation
The use of vulnerable drivers will continue rising due to availability of signed but exploitable drivers in enterprise environments.
(-1) Decline in detection effectiveness of traditional SIEM systems
Signature-based monitoring will become less reliable as attackers increasingly tunnel through legitimate encrypted and trusted traffic flows. ⚠️
Deep Analysis: System-Level Defense Perspective
Detect unusual Teams relay traffic patterns tcpdump -i eth0 host teams.microsoft.com
Monitor suspicious token-based authentication events
grep -i "token" /var/log/auth.log
Check loaded kernel drivers (Linux equivalent monitoring)
lsmod | grep -i suspicious
Windows Defender advanced hunting query (conceptual)
DeviceNetworkEvents
| where RemoteUrl contains teams.microsoft.com
| where InitiatingProcessFileName != Teams.exe
Identify sideloading behavior
find / -name ".dll" -type f 2>/dev/null
Monitor LDAP reconnaissance attempts
tcpdump port 389 or port 636
Detect abnormal process injection
ps -aux | grep -i dbgview
Audit firewall rule changes
iptables -L -v -n
Track new user creation events
cat /etc/passwd | tail
Detect ransomware staging behavior
find / -type f -name ".encrypted"
Monitor BYOVD-related driver loading (Windows Sysinternals concept)
driverquery /v
Check TLS interception anomalies
openssl s_client -connect example.com:443
Review persistence mechanisms
crontab -l systemctl list-timers
Analyze DNS tunneling behavior
tcpdump port 53
Detect abnormal outbound HTTPS spikes
iftop -i eth0
Inspect Microsoft Teams logs (enterprise SIEM)
journalctl | grep teams
Hunt for suspicious ZIP payloads
find / -name ".zip"
Look for unsigned drivers (Windows concept)
sigcheck -u -e
Monitor process spawning chains
pstree -p
Check Active Directory query spikes
repadmin /replsummary
Detect credential dumping attempts
grep -i "lsass" /var/log/syslog
Analyze outbound C2 patterns
netstat -antp | grep ESTABLISHED
Identify abnormal relay usage
ss -tuna | grep relay
Monitor fileless execution behavior
auditctl -w /tmp -p rwxa
Detect unusual PowerShell activity
Get-Process | Where-Object {$_.ProcessName -eq "powershell"}
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
