Get fresh insights, pro tips, and thought starters–only the best of posts for you.
DragonForce ransomware operators have been observed using Microsoft Teams relay infrastructure to conceal command-and-control (C2) communications associated with a custom backdoor called Backdoor.Turn.
Researchers from Symantec and Carbon Black identified the activity during an intrusion involving a major U.S. services company. The attackers reportedly remained in the victim environment for one to two months and used a combination of persistence and defense-evasion techniques, including DLL sideloading and Bring Your Own Vulnerable Driver (BYOVD) activity.
The incident highlights how threat actors can leverage trusted cloud infrastructure to reduce the visibility of malicious communications inside compromised environments.
Symantec and Carbon Black reported that DragonForce-linked actors deployed a custom Go-based remote access trojan named Backdoor.Turn during an intrusion targeting a major U.S. services organization.
Researchers observed the following activity during the investigation:
Researchers also observed Backdoor.Turn being injected into DbgView64.exe, a legitimate Sysinternals utility. The victim organization has not been publicly identified. Researchers reported that attackers maintained access to the environment for approximately one to two months.
One of the most notable aspects of the DragonForce ransomware intrusion was the way Backdoor.Turn established communications with attacker-controlled infrastructure.
According to researchers, the malware:
As a result, defenders monitoring network traffic may primarily observe outbound connections to legitimate Microsoft Teams infrastructure rather than attacker-controlled systems.
Researchers said this appears to be the first known real-world case of threat actors abusing Microsoft Teams TURN relay infrastructure for command-and-control communications.
Backdoor.Turn was reportedly deployed after ransomware activity had already taken place. Researchers observed the malware being injected into DbgView64.exe, a legitimate Sysinternals utility commonly used for debugging and diagnostic purposes.
Several findings suggest the intrusion continued beyond the ransomware stage:
The timing of the deployment suggests the attackers may have sought to maintain access after ransomware execution, although their long-term objectives were not publicly disclosed.
Several details of the intrusion have not been publicly disclosed. Unknown factors include:
Security teams should treat the incident as an evolving threat event rather than a fully documented breach case.
The incident demonstrates how attackers can use trusted enterprise services to make malicious activity harder to detect.
Many organizations allow Microsoft Teams traffic as part of normal business operations. When malicious communications blend into legitimate cloud-service traffic, network-based indicators may become less effective.
Researchers also observed process injection, DLL side-loading, vulnerable driver abuse, and security tool tampering. These endpoint-level indicators can provide valuable context when malicious traffic appears legitimate.
While Microsoft Teams itself was not compromised, the abuse of Teams-related infrastructure shows how trusted services can become part of an attacker’s command-and-control workflow.
Organizations reviewing similar activity should consider examining:
Correlating endpoint, identity, and network telemetry can help uncover activity that may otherwise appear legitimate.
The DragonForce investigation uncovered several Windows-based behaviors beyond the Teams relay abuse itself, including DLL side-loading and Backdoor.Turn injection into DbgView64.exe, vulnerable driver abuse, and security tool termination.
For security teams investigating similar activity, Hexnode XDR can help analyze endpoint telemetry, security events, and incident data across affected Windows devices to support threat investigation and response.
Hexnode UEM can help administrators enforce security policies, manage enrolled devices, and perform device actions across managed endpoints.
Explore cybersecurity frameworks and how UEM strengthens security, visibility, compliance, and organizational resilience.
DOWNLOADThe DragonForce ransomware incident shows how attackers continue to adapt command-and-control techniques to blend into legitimate enterprise activity. By leveraging Microsoft Teams relay infrastructure during communication setup, the attackers made malicious communications more difficult to distinguish from legitimate enterprise traffic.
When attackers abuse trusted cloud collaboration infrastructure, investigations often require endpoint telemetry alongside network visibility. Endpoint telemetry, behavioral analysis, and persistence hunting remain critical for identifying activity that may otherwise appear legitimate.
See how Hexnode helps security teams investigate and respond faster.
SIGN UP NOWBackdoor.Turn is a custom Go-based remote access trojan observed during a DragonForce-linked intrusion. Researchers reported that it used Microsoft Teams relay infrastructure during command-and-control setup.
Researchers did not report a compromise of Microsoft Teams. Instead, the attackers reportedly abused legitimate Teams-related relay infrastructure as part of their communication workflow.
The incident shows how attackers can use trusted cloud infrastructure to conceal malicious communications, making command-and-control activity more difficult to identify.
