Listen to this Post
A New Era of Cybercrime Hidden Behind Trusted Technology
Cybersecurity researchers have uncovered one of the most sophisticated ransomware operations seen in recent years, exposing how the DragonForce ransomware cartel infiltrated a major United States services company and remained undetected for up to two months. What makes this attack particularly alarming is not just the intrusion itself, but the method used to conceal malicious activity.
Instead of relying on suspicious infrastructure that security teams could easily identify, the attackers cleverly routed their command-and-control communications through Microsoft Teams relay servers. To defenders monitoring network traffic, everything appeared legitimate. The malicious communications blended seamlessly with normal Microsoft Teams activity, effectively allowing cybercriminals to hide in plain sight.
The discovery highlights a growing trend in cyber warfare where attackers increasingly abuse trusted cloud services and enterprise platforms. Organizations spend millions securing their networks, yet attackers continue finding innovative ways to exploit the very technologies businesses rely upon every day. The DragonForce operation demonstrates how modern ransomware groups have evolved far beyond simple encryption attacks into highly organized criminal enterprises capable of conducting advanced espionage-style campaigns.
Symantec Discovers the Backdoor.Turn Malware
Researchers at Symantec identified the custom malware used during the attack and named it Backdoor.Turn. According to their investigation, the malware leveraged Microsoft’s communication infrastructure in a way never previously observed in active cyberattacks.
The malware first acquires an anonymous Teams visitor token through Microsoft’s Skype-based identity services. It then utilizes a legitimate Microsoft TURN relay server to establish communications before creating a QUIC session that connects to the attackers’ actual command-and-control servers.
From a network monitoring perspective, security tools only detect communication with legitimate Microsoft services. The real destination remains effectively hidden, creating a significant challenge for defenders attempting to identify suspicious activity.
This level of sophistication is rarely seen among ransomware groups. Most ransomware operators rely heavily on publicly available tools or previously leaked malware frameworks. DragonForce instead invested resources into developing a highly specialized custom backdoor designed specifically to evade modern detection technologies.
The First Known Abuse of TURN Relay Infrastructure
One of the most significant findings in the investigation is that Backdoor.Turn represents the first publicly documented malware abusing TURN relay infrastructure in this manner.
The attack methodology appears inspired by the Ghost Calls research presented during the Black Hat 2025 conference. That research demonstrated how communication channels could be hidden inside legitimate real-time communication services, making malicious traffic difficult to distinguish from normal business activity.
DragonForce appears to have transformed that theoretical concept into a real-world offensive capability.
The implications extend far beyond a single attack. If other threat actors adopt similar techniques, security teams may face increasing difficulty identifying malicious communications traveling through trusted enterprise platforms. Traditional perimeter defenses become far less effective when attackers leverage legitimate infrastructure owned by major technology companies.
A Go-Based Backdoor Built for Long-Term Intrusions
Backdoor.Turn was developed using the Go programming language, a popular choice among advanced malware developers due to its portability, efficiency, and ability to operate across multiple operating systems.
After infiltrating the victim environment, the malware injects itself into the legitimate DbgView64.exe process, allowing it to blend into normal system activity.
The backdoor provides attackers with extensive control over compromised systems, including:
Remote Command Execution
Attackers can execute commands directly on infected machines, giving them complete administrative control over targeted systems.
Network Reconnaissance
The malware scans internal networks to identify additional systems, services, and potential attack paths.
Active Directory Mapping
Attackers gain visibility into organizational structures, user accounts, security groups, and privilege relationships throughout the enterprise.
Credential Theft
Backdoor.Turn can extract passwords and authentication data from web browsers, providing additional access opportunities.
Lateral Movement
Using stolen credentials, attackers can move throughout the victim network while maintaining operational stealth.
Collectively, these capabilities transform the malware from a simple persistence mechanism into a comprehensive post-exploitation framework.
The Initial Breach Remains a Mystery
Investigators believe the attackers initially gained access through an SQL or Microsoft SQL Server vulnerability, although the specific flaw remains unidentified.
Another possibility is that DragonForce purchased access from an Initial Access Broker, a growing segment of the cybercrime ecosystem specializing in selling compromised corporate networks to ransomware groups.
Beginning in December 2025, the attackers deployed a ZIP archive containing legitimate Oracle VirtualBox software components alongside a malicious dynamic-link library. Through DLL sideloading techniques, the malware successfully executed while appearing associated with trusted software.
This approach highlights how modern attackers increasingly abuse legitimate applications rather than introducing obviously malicious executables that security products can more easily detect.
Advanced Driver Exploitation Raises Alarm
One of the most technically impressive aspects of the campaign involved the attackers’ use of Bring Your Own Vulnerable Driver, commonly known as BYOVD.
This technique exploits legitimate signed drivers that contain security weaknesses. Because drivers operate with elevated privileges inside Windows, exploiting vulnerable drivers can allow attackers to disable security controls, terminate defensive processes, and gain deep system access.
DragonForce targeted multiple vulnerable drivers during the operation.
Most notably, the group exploited
Researchers later documented the
Such activity suggests either extensive internal research capabilities or access to highly valuable vulnerability intelligence.
The Fake Palo Alto Driver Discovery
Investigators uncovered another unusual element during the attack.
DragonForce deployed a malicious driver disguised as a legitimate driver associated with Palo Alto Networks technology.
Unlike traditional BYOVD attacks, where criminals exploit genuine vulnerable drivers, this driver was malicious from the outset. It merely masqueraded as trusted software to evade scrutiny.
The discovery demonstrates the
DragonForce’s Evolution Into a Cybercrime Cartel
DragonForce has operated since at least 2023, but the organization visible today bears little resemblance to its earlier form.
Originally functioning as a ransomware-as-a-service platform, DragonForce has evolved into a structured cybercrime cartel. This transformation mirrors broader changes occurring throughout the cybercriminal underground, where loosely connected groups increasingly operate as professional organizations with specialized teams, dedicated infrastructure, and long-term strategic objectives.
The deployment timing of Backdoor.Turn is particularly noteworthy. Researchers observed that the malware was installed after ransomware execution had already occurred.
This behavior suggests that DragonForce may be maintaining persistence for future attacks, gathering intelligence for follow-on operations, or potentially selling continued access to other criminal groups.
Such a strategy turns a single breach into a long-term monetization opportunity.
Why Security Teams Should Be Concerned
The most dangerous aspect of this campaign is not merely the ransomware deployment but the extraordinary operational security displayed by the attackers.
Traditional detection strategies often rely on identifying suspicious network destinations, unknown infrastructure, or unusual communications patterns. DragonForce effectively bypassed these assumptions by hiding malicious traffic within trusted Microsoft services.
Organizations increasingly depend on cloud-based collaboration tools such as Microsoft Teams for daily operations. Blocking or aggressively filtering these services is often impossible without disrupting business operations.
As a result, attackers gain a powerful advantage when they successfully weaponize trusted platforms.
The DragonForce campaign serves as a warning that cybersecurity defenses must increasingly focus on behavior, identity monitoring, and endpoint visibility rather than relying solely on network traffic analysis.
What Undercode Say:
The DragonForce operation represents a major milestone in ransomware evolution.
For years, ransomware groups focused primarily on encryption and extortion.
Now, the most advanced actors are behaving more like nation-state intelligence operations.
The abuse of Microsoft Teams infrastructure demonstrates strategic thinking rather than opportunistic hacking.
Attackers clearly understood how enterprise defenders monitor traffic.
Instead of fighting security controls directly, they manipulated trust relationships.
This significantly reduces detection opportunities.
Backdoor.Turn shows substantial development investment.
Custom malware development is expensive and time-consuming.
Criminal groups only make such investments when expecting significant financial returns.
The use of QUIC communications further complicates monitoring efforts.
Modern security architectures often lack deep visibility into encrypted QUIC traffic.
Combining QUIC with Microsoft relay infrastructure creates an exceptionally stealthy channel.
The exploitation of a Huawei driver before public disclosure is equally concerning.
This suggests access to vulnerability research capabilities.
Many ransomware groups simply reuse public exploits.
DragonForce appears increasingly capable of discovering or acquiring new attack vectors.
The fake Palo Alto driver demonstrates another layer of sophistication.
Attackers no longer depend solely on abusing existing trust.
They are manufacturing trust by impersonating legitimate software.
The shift from ransomware-as-a-service to cartel operations mirrors historical cybercrime evolution.
Groups become more resilient when responsibilities are distributed among specialists.
Infrastructure teams.
Malware developers.
Access brokers.
Negotiators.
Money laundering specialists.
All contribute to operational efficiency.
Backdoor.Turn’s post-ransomware deployment is especially interesting.
It suggests persistence is now a priority.
Many groups are no longer satisfied with a single payout.
Long-term access generates recurring opportunities.
Victims may unknowingly remain compromised after incident recovery.
Security teams must therefore rethink breach remediation strategies.
Removing ransomware alone may not eliminate attacker presence.
Hidden persistence mechanisms may survive for months.
The campaign also demonstrates why trust-based security models continue to fail.
Trusted software does not automatically equal safe software.
Trusted cloud infrastructure can become an attacker asset.
Organizations need stronger endpoint telemetry.
Behavioral analytics will become increasingly important.
Identity monitoring will become essential.
Network visibility alone is no longer sufficient.
DragonForce is not merely another ransomware group.
It represents the future direction of financially motivated cybercrime.
Deep Analysis
The following commands can help defenders investigate similar threats across Linux, Windows, and enterprise environments.
Linux Investigation Commands
netstat -tulpn ss -tunap lsof -i tcpdump -i any journalctl -xe ps aux --forest find / -name ".so" 2>/dev/null last -a who -a
Windows Investigation Commands
tasklist /v netstat -ano Get-Process Get-Service
Get-WinEvent -LogName Security
Get-LocalUser Get-ScheduledTask driverquery /v wmic startup get caption,command
Active Directory Investigation
Get-ADUser -Filter Get-ADComputer -Filter Get-ADGroupMember "Domain Admins" Get-ADDomain Get-ADForest repadmin /showrepl dcdiag /v
Threat Hunting Commands
yara suspicious_rules.yar target_file clamscan -r / suricata -T -c /etc/suricata/suricata.yaml zeek -r capture.pcap strings suspicious.bin | less hashdeep -r /
Driver Analysis
driverquery /si fltmc sc query type= driver sigcheck.exe -u -e C:\Windows\System32\drivers
✅ Symantec researchers publicly reported the Backdoor.Turn malware and linked it to DragonForce operations.
✅ The malware abused Microsoft Teams-related relay infrastructure to disguise command-and-control communications, making detection significantly harder for defenders.
✅ DragonForce has evolved beyond traditional ransomware deployment and now demonstrates advanced persistence, stealth, and driver exploitation techniques that place it among the more sophisticated cybercriminal organizations operating today.
Prediction
(+1) More ransomware groups will attempt to abuse trusted cloud platforms such as Microsoft Teams, Zoom, Slack, and collaboration services to hide malicious communications.
(+1) Security vendors will begin developing specialized detection mechanisms focused on TURN relay abuse, QUIC inspection, and behavioral anomaly detection rather than destination-based monitoring.
(+1) Enterprise incident response teams will increasingly treat ransomware incidents as long-term espionage events instead of isolated encryption attacks.
(-1) Organizations relying primarily on perimeter monitoring will struggle to detect similar attacks because malicious traffic will continue blending with legitimate cloud communications.
(-1) Driver-based security bypass techniques will become more common as attackers seek kernel-level access and methods to disable endpoint protection products.
(-1) The growing professionalization of cybercrime cartels such as DragonForce will likely increase the frequency, scale, and complexity of future ransomware campaigns, forcing defenders into an increasingly difficult battle for visibility and control.
▶️ Related Video (82% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
