Listen to this Post
Introduction: When Collaboration Tools Become Attack Infrastructure
What was once designed to help global teams communicate instantly has now been twisted into something far more dangerous. In a deeply sophisticated cyber intrusion uncovered by Symantec, attackers leveraged Microsoft Teams’ own relay architecture to hide ransomware command-and-control traffic inside legitimate Microsoft infrastructure. This marks a disturbing evolution in cybercrime: the abuse of trusted enterprise platforms to make malicious activity nearly invisible.
The investigation reveals that the DragonForce ransomware group maintained long-term stealth inside a major U.S. services organization, quietly operating for up to two months without detection. Instead of relying on noisy, traditional malware communication channels, the attackers embedded their control systems within Microsoft’s TURN relay servers, effectively disguising their actions as normal Teams traffic. What follows is a breakdown of one of the most technically advanced ransomware operations ever documented.
Initial Breach: Likely SQL Entry or Brokered Access
The intrusion likely began with exploitation of an SQL or MSSQL server vulnerability, although investigators also consider the possibility that access was purchased from an initial access broker. This dual-path uncertainty highlights a modern trend in cybercrime: attackers increasingly skip hacking altogether and simply buy their way into corporate environments.
Once inside, DragonForce established persistence and quietly mapped the network over weeks, avoiding detection systems while preparing for deeper infiltration.
Living Inside the Network for Two Months
Rather than rushing encryption or disruption, the attackers took a slow, patient approach. Over 1–2 months beginning in December 2025, they studied internal systems, escalated privileges, and positioned themselves for maximum impact.
This “low and slow” strategy reflects a shift in ransomware tactics: stealth first, destruction later. By the time encryption begins, defenders are already outmaneuvered.
The Sideloading Attack: Fake Tools, Real Damage
The attackers deployed a .zip archive containing a legitimate VirtualBox or DbgView executable paired with a malicious DLL. This technique, known as DLL side-loading, allows attackers to trick trusted software into executing malicious code.
The malicious DLL, vboxrt.dll, became the entry point for downloading secondary payloads, enabling reconnaissance, persistence, and defense evasion across the compromised environment.
Expanding Control: Firewall Changes and User Creation
Once footholds were established, attackers modified firewall rules, created unauthorized user accounts, and enabled settings such as LimitBlankPassword access. These actions ensured continued access even if primary credentials were discovered.
This stage reflects a classic ransomware preparation phase: weaken defenses, widen access, and remove obstacles silently.
Backdoor.Turn: The Core of the Invisible Attack
At the heart of the operation is a custom Go-based remote access trojan known as Backdoor.Turn. Injected into a legitimate DbgView64.exe process, it represents a high-level stealth mechanism designed for deep invisibility.
Instead of using traditional C2 servers, the malware uses Microsoft Teams’ identity backend and TURN relay infrastructure to disguise its communication flow. This makes malicious traffic appear identical to legitimate enterprise collaboration data.
Microsoft Teams Relay Abuse: Hiding in Plain Sight
The most alarming innovation is how Backdoor.Turn communicates. It first requests an anonymous token from Microsoft’s identity systems, then connects through legitimate Teams TURN relay servers before establishing a QUIC session to attacker-controlled infrastructure.
To security systems, this looks like normal Microsoft Teams traffic. In reality, it is a fully functional hidden tunnel for malware operations.
This technique is inspired by advanced research concepts like “Ghost Calls,” demonstrating how academic cyber research is rapidly being weaponized.
Full Remote Control Capabilities of Backdoor.Turn
Once active, the backdoor enables a wide range of malicious functions, including:
Remote command execution
Network scanning with TLS certificate harvesting
Active Directory mapping
LDAP reconnaissance
Credential theft
Browser data extraction
Lateral movement across systems
This transforms the infected environment into a fully observable digital map for attackers.
BYOVD Attacks: Breaking Security at Kernel Level
To disable endpoint security, DragonForce used Bring Your Own Vulnerable Driver (BYOVD) techniques. These attacks exploit trusted signed drivers to gain kernel-level privileges.
The group used multiple exploited drivers, including:
CVE-2023-52271 in wsftprm.sys
CVE-2025-61155 in Gamedriverx64.sys
CVE-2025-1055 in K7RKScan.sys
They also deployed a tool called Havoc Process Terminator, abusing a Huawei driver not publicly known to be vulnerable at the time.
Abyss Worker: A Fake Driver Disguised as Legitimate Software
In a rare escalation, attackers deployed a malicious driver named Abyss Worker, designed to masquerade as a Palo Alto Networks driver.
Unlike typical BYOVD attacks, this is not just exploitation of vulnerabilities in legitimate drivers but the introduction of a fully malicious driver built to appear trusted. This represents a significant leap in sophistication.
DragonForce Evolution: From RaaS to Cyber Cartel
Active since at least mid-2023, DragonForce has evolved beyond standard ransomware-as-a-service models into a structured cybercrime cartel.
Tracked by Symantec as Hackledorb, the group now demonstrates:
Advanced stealth engineering
Custom malware development
Multi-layered evasion strategies
Kernel-level defense bypassing
This evolution signals a shift toward highly organized cybercrime enterprises rather than loosely coordinated hacker groups.
Summary of Technical Indicators
The operation included multiple malware samples and infrastructure components:
Backdoor.Turn variants (SHA-256 hashes)
DragonForce ransomware payload
Malicious DLL sideloading components
Custom kernel drivers (ABYSSWORKER)
Command-and-control IP infrastructure
Defanged malicious download URLs
These indicators show a complete attack chain from entry to encryption readiness.
What Undercode Say:
This attack demonstrates how enterprise tools can be weaponized against enterprises themselves
Microsoft Teams infrastructure is effectively being used as an encrypted camouflage layer
Traditional perimeter defenses are no longer sufficient against relay-based tunneling
The shift from malware communication to platform-native communication is significant
TURN relay abuse is a new frontier in stealth C2 design
Attackers are blending cloud identity systems with malware infrastructure
Initial access brokers reduce the technical barrier for ransomware groups
Long dwell time indicates high confidence in evasion capability
Side-loading remains one of the most reliable malware execution techniques
DLL masquerading continues to bypass signature-based detection
Enterprise firewall modification is a standard persistence tactic
Attackers prioritize control stability over immediate impact
Backdoor injection into trusted binaries increases stealth dramatically
QUIC protocol usage improves C2 resilience and speed
Identity token abuse is a critical emerging threat vector
Microsoft authentication systems are indirectly part of attack chains
Network monitoring must evolve beyond destination-based filtering
Behavioral detection is now more important than signature detection
Kernel-level attacks bypass most endpoint protections
BYOVD remains one of the most dangerous privilege escalation paths
Use of zero-known-vulnerability drivers shows advanced capability
Supply chain trust in drivers is increasingly fragile
Fake driver impersonation increases detection difficulty
Security tools relying on driver trust models are at risk
Ransomware groups are adopting nation-state-like sophistication
Long-term infiltration suggests intelligence-driven operations
Credential harvesting is central to lateral movement success
Active Directory remains a primary target in enterprise breaches
Browser credential theft expands attack surface significantly
Multi-vector persistence ensures redundancy in control
Security teams must assume breach once lateral movement begins
Logging systems must correlate identity and network anomalies
Cloud relay abuse creates blind spots in SOC visibility
Threat actors are actively researching academic cybersecurity papers
Ghost Calls concept demonstrates research-to-weapon pipeline
Detection requires deeper packet behavior analysis
QUIC tunneling reduces visibility in legacy IDS systems
Cybercrime groups are converging on modular malware ecosystems
Infrastructure trust is becoming a primary attack surface
DragonForce represents a hybrid of ransomware, espionage, and stealth engineering
✅ Microsoft Teams TURN relay infrastructure exists and can be abused for traffic routing
❌ There is no evidence Microsoft designed Teams relays for malicious tunneling purposes
⚠️ Symantec has reported DragonForce activity, but attribution details may evolve as investigations continue
⚠️ CVE and driver exploitation claims are plausible but depend on confirmed vulnerability disclosure timelines
❌ “Undetectable for all systems” is inaccurate; advanced EDR tools can still detect behavioral anomalies
Prediction:
(+1) Future ransomware groups will increasingly embed command-and-control traffic inside legitimate SaaS platforms like Teams, Slack, and Zoom, making detection heavily reliant on behavioral AI and identity correlation rather than network inspection alone 🔵
(-1) Defensive tools relying solely on cloud trust boundaries will become obsolete as attackers continue abusing authentication and relay infrastructure across major platforms ⚠️
Deep Analysis:
Linux-Based Threat Hunting Commands
Detect unusual outbound connections to Microsoft relay infrastructure sudo netstat -plant | grep -E "teams|skype|turn"
Monitor suspicious process injection patterns
ps aux | grep -E "dbgview|vbox|dll"
Check for newly created user accounts
cat /etc/passwd | tail -n 50
Inspect firewall rule modifications
sudo iptables -L -v -n
Identify abnormal QUIC traffic patterns
sudo tcpdump -i eth0 udp port 443 Windows Defender & Forensics Commands
Detect suspicious DLL side-loading
Get-Process | Where-Object {$_.Modules -match ".dll"}
List newly created users
Get-LocalUser | Select Name,Enabled,LastLogon
Check firewall rule changes
Get-NetFirewallRule | Where-Object {$_.Enabled -eq "True"}
Monitor network connections to Microsoft services
Get-NetTCPConnection | Where-Object {$_.RemotePort -eq 443}
Analyze suspicious driver loads
driverquery /v /fo list
macOS Security Monitoring
Monitor outbound connections nettop -m tcp
Check loaded kernel extensions
kextstat | grep -i unknown
Detect suspicious binaries
find / -perm -4000 2>/dev/null
Behavioral Detection Focus
Identity token anomalies
Non-standard Teams relay routing
QUIC sessions outside normal usage patterns
DLL injection into signed binaries
Kernel driver execution without vendor trace
▶️ Related Video (82% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
