The hard part of running command-and-control is not getting in — it is staying connected without tripping the egress alarms. DragonForce has a new answer to that problem, and it is a clever one: route the traffic through Microsoft Teams.

Symantec’s Threat Hunter Team has documented Backdoor.Turn, a custom remote-access trojan used by DragonForce that abuses Microsoft Teams TURN relay infrastructure to disguise its command-and-control channel. Symantec assesses it as the first known in-the-wild malware to weaponize Teams relays for C2 — a technique inspired by the previously theoretical “Ghost Calls” research. It was deployed for post-ransomware persistence: a way to keep covert access alive after the encryption event.

How the disguise works

TURN — Traversal Using Relays around NAT — is the protocol Teams uses to relay call media when two endpoints can’t connect directly. Backdoor.Turn hijacks that legitimate plumbing in three stages:

  1. It obtains an anonymous Teams “visitor” authentication token from Microsoft’s Skype-backed identity services.
  2. It uses a legitimate Microsoft server as the TURN relay during connection setup.
  3. It then establishes a direct QUIC session to the attacker’s real C2 server.

The payoff is the evasion. A network defender watching outbound traffic sees connections to genuine Microsoft and Teams infrastructure — the same destinations every Teams call uses. The malicious C2 hides behind a trust relationship that virtually every enterprise network already permits. Blocking it means blocking Teams, which most organizations cannot do.

A full intrusion toolkit

Backdoor.Turn is not just a clever tunnel. Symantec details an aggressive toolset built for stealth and lateral movement:

  • Process injection into the legitimate DbgView64.exe process, plus DLL sideloading via signed executables, to blend into normal activity.
  • Bring Your Own Vulnerable Driver (BYOVD) to disable security tooling, using a novel “Havoc Process Terminator” built around a Huawei audio driver (HWAuidoOs2Ec.sys) and several other vulnerable drivers.
  • Reconnaissance and theft: network scanning with TLS-certificate capture, LDAP / Active Directory enumeration, browser credential theft, and credential-based lateral movement.

A few of the finer technical details — the malware’s exact programming language and a reported use of the Microsoft Graph API to pull emails and fabricate meeting recordings — appear in some reporting but are not fully nailed down across sources, so treat them as reported-but-unconfirmed pending the full Symantec writeup. The core finding — Teams relays as a covert C2 channel — is solid.

The targeted intrusion Symantec analyzed hit a major U.S.-based services firm, with the attackers inside for one to two months before detection beginning around December 2025. The company was not named.

Why DragonForce specifically

This is a sophistication upgrade from a group that has spent the past year consolidating power. DragonForce has run as ransomware-as-a-service since 2023, but in 2025 it restructured into a “cartel” model — letting affiliates white-label its tooling for a low ~20% cut, absorbing the infrastructure of the collapsed RansomHub operation, and positioning itself near the top of the post-LockBit ecosystem we mapped in our survey of the RaaS landscape. It has also been linked to Scattered Spider and the high-profile UK retail attacks on M&S and Co-op.

A group that is industrializing affiliate operations needs tooling that survives detection across many different victim environments. Backdoor.Turn is exactly that: a reusable persistence mechanism whose covert channel rides infrastructure no defender wants to block.

What defenders should take from this

The uncomfortable lesson is that “trusted destination” is no longer a safe heuristic. Egress filtering and network detection that whitelist Microsoft and Teams endpoints — which is to say almost every enterprise — give Backdoor.Turn exactly the cover it needs. Defending against this class of abuse pushes the work onto endpoint behavior (process injection into DbgView64.exe, BYOVD driver loads, anomalous QUIC sessions) and identity anomalies (anonymous Teams visitor tokens originating from servers, not users) rather than on destination-based network rules.

The Symantec report is the authoritative source and worth reading in full for the indicators of compromise.

Sources