Listen to this Post
Introduction: A New Phase of Enterprise Deception
A newly discovered cyber intrusion linked to the DragonForce ransomware group reveals a disturbing evolution in modern attack techniques. Instead of relying on traditional command-and-control channels, attackers are now abusing trusted enterprise platforms to blend malicious traffic into everyday business communication.
Security researchers from Broadcom’s Symantec and Carbon Black teams uncovered a sophisticated backdoor that hijacks Microsoft Teams relay infrastructure to conceal its operations. This discovery signals a major shift in ransomware tradecraft, where legitimacy itself becomes the camouflage.
the Original Discovery: What Was Found
The investigation reveals a custom Go-based backdoor known as Backdoor.Turn. It was deployed during a DragonForce ransomware operation targeting a US-based services firm. The malware uses Microsoft Teams relay servers to secretly route attacker communications, effectively hiding malicious activity inside trusted cloud traffic.
Researchers found that the attackers gained access likely through an exposed SQL or MSSQL server, or possibly via purchased credentials from an access broker. From there, they escalated privileges, moved laterally across the network, and deployed ransomware alongside persistent backdoor access tools.
How the Attack Begins: Silent Entry Through Enterprise Weak Points
The intrusion reportedly began in December 2025. The attackers exploited either a vulnerability in database infrastructure or leveraged stolen access credentials. Once inside, they used DLL sideloading techniques to execute malicious payloads while avoiding detection.
This early stage was critical. It allowed DragonForce operators to quietly establish a foothold, map the internal environment, and prepare for deeper compromise without triggering traditional security alerts.
The Core Innovation: Microsoft Teams TURN Relay Abuse
The most striking aspect of this attack is how Backdoor.Turn communicates.
Instead of connecting directly to attacker-controlled servers, the malware:
Requests an anonymous Microsoft Teams visitor token
Connects through legitimate Microsoft TURN relay infrastructure
Establishes a QUIC-based session to the real command-and-control server
This chain makes malicious traffic appear indistinguishable from legitimate Microsoft Teams communication. It is reportedly the first known malware family to abuse TURN relay infrastructure in this way.
Why This Technique Is So Dangerous for Defenders
Security tools are designed to trust well-known cloud providers like Microsoft Teams. This trust becomes a weakness when attackers route their infrastructure through these services.
As a result:
C&C traffic blends with normal enterprise communication
Network monitoring tools see only legitimate Microsoft endpoints
Data exfiltration becomes extremely difficult to distinguish
This represents a fundamental challenge for traditional perimeter-based cybersecurity models.
Inside DragonForce: A Growing Cybercrime Cartel
DragonForce has been active since 2023 and is increasingly viewed as a structured ransomware cartel rather than a loose hacking group. Their operations show high levels of coordination, resource investment, and technical innovation.
The group combines multiple advanced tactics including:
Kernel-level exploitation using signed driver abuse (BYOVD)
Credential theft from browsers
Active directory reconnaissance
Lateral movement using stolen credentials
Their evolution suggests a professionalized ecosystem similar to organized cybercrime enterprises.
Payload Deployment: Ransomware and Persistence Strategy
After establishing control, the attackers deployed both ransomware and persistent access mechanisms. The ransomware component encrypted and exfiltrated sensitive data, while Backdoor.Turn ensured long-term access even after initial payload execution.
This dual-layer strategy is increasingly common in modern ransomware campaigns, where encryption is only part of the damage. Continuous access allows attackers to return, re-extort, or resell compromised infrastructure.
Attack Capabilities: What the Backdoor Enables
Backdoor.Turn provides attackers with extensive control over infected environments, including:
Remote command execution
Process creation and manipulation
Network scanning
LDAP and Active Directory mapping
Credential harvesting from browsers
Lateral movement across internal systems
These capabilities make it not just a backdoor, but a full enterprise compromise toolkit.
The Broader Implication: Trust Is Now the Attack Surface
This incident highlights a critical shift in cybersecurity reality. Attackers are no longer just exploiting vulnerabilities in systems, but exploiting trust in platforms.
When services like Microsoft Teams become part of the attack chain, defenders face a new problem: distinguishing malicious behavior inside legitimate infrastructure becomes nearly impossible without advanced behavioral analytics.
What Undercode Say:
Cloud trust is now being weaponized by advanced threat groups
Microsoft Teams infrastructure abuse marks a major escalation in stealth tactics
TURN relay abuse shows attackers are studying enterprise communication architecture deeply
Go-based malware indicates a shift toward cross-platform efficiency
DragonForce resembles a structured cybercrime organization rather than a loose group
SQL/MSSQL exposure remains a critical entry point in enterprise breaches
DLL sideloading continues to be effective for stealth execution
BYOVD attacks show kernel-level escalation is becoming routine
QUIC protocol usage improves stealth and reduces detection visibility
Security tools relying on domain reputation alone are insufficient
Attackers prioritize persistence over immediate damage in early stages
Credential theft from browsers remains highly effective
Active Directory mapping remains core to lateral movement strategies
Enterprise cloud services are becoming dual-use infrastructure
Security telemetry blind spots are being intentionally exploited
Ransomware operations now resemble multi-stage espionage campaigns
Access brokers play a major role in modern ransomware economics
Initial access is increasingly outsourced rather than directly exploited
Attackers prefer living-off-the-land techniques before deploying malware
Kernel-level drivers remain a weak point in endpoint protection
Signed driver abuse bypasses many modern security controls
Microsoft ecosystem integration increases both productivity and risk
Detection requires behavioral correlation, not signature matching
Threat actors are investing in custom malware development
Backdoors are evolving into full operational frameworks
Network segmentation alone is no longer sufficient defense
Cloud relay infrastructure introduces indirect attack paths
Threat intelligence sharing is essential against such groups
Enterprise identity systems are high-value targets
Persistence mechanisms are prioritized over encryption alone
Attack chains are becoming longer and more modular
Security visibility gaps exist between cloud and on-prem systems
QUIC traffic complicates traditional inspection methods
Attackers exploit legitimate APIs for concealment
Detection systems must incorporate anomaly-based models
Insider-like behavior simulation is used by attackers
Cybercrime groups are adopting nation-state level tactics
Enterprise compromise now includes long-term surveillance capability
Security architecture must assume trust boundaries are broken
Defensive strategies must shift from perimeter to behavior-first models
❌ Microsoft Teams is not designed as a malicious relay system, but its infrastructure can be abused if credentials or tokens are compromised
✅ Symantec and Carbon Black have previously documented advanced ransomware tradecraft consistent with multi-stage intrusion patterns
❌ There is no evidence that Microsoft itself is compromised; the abuse is indirect through legitimate services
Prediction
(+1) Ransomware groups will increasingly hide traffic inside major cloud collaboration platforms to bypass detection systems
(+1) Enterprise security tools will shift toward behavioral AI detection rather than domain-based trust models
(-1) Traditional perimeter security tools will continue losing effectiveness against cloud-relay based attacks
(+1) Abuse of legitimate services like Microsoft Teams and similar platforms will expand across multiple threat actors
(-1) Organizations relying solely on signature-based detection will experience higher breach rates in the near future
Deep Analysis: System-Level Exposure and Defensive Commands
The technical footprint of this attack can be better understood through system-level inspection and monitoring strategies.
Inspect active network connections that may hide relay traffic netstat -tulnp
Monitor unusual QUIC or UDP-based sessions
ss -u -a
Check for suspicious DLL loading activity
lsof | grep ".dll"
Audit active processes for abnormal execution chains
ps aux --sort=-%cpu
Review authentication logs for unusual access patterns
cat /var/log/auth.log
Detect potential Active Directory enumeration attempts
ldapsearch -x -H ldap://localhost
Monitor system calls for privilege escalation patterns
auditctl -w /bin -p war -k privilege_watch
Identify suspicious persistence mechanisms
crontab -l systemctl list-timers
Analyze outbound connections to cloud relay endpoints
tcpdump -i eth0 host microsoft.com
Track kernel-level driver interactions (BYOVD indicators)
dmesg | grep -i "driver"
▶️ Related Video (76% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.securityweek.com
Extra Source Hub (Possible Sources for article):
https://www.discord.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
