The DragonForce ransomware group has been identified leveraging Microsoft’s Teams infrastructure to mask their command-and-control (C2) communications, deploying a custom remote access trojan (RAT) named Backdoor.Turn. This sophisticated technique allowed the attackers to remain undetected within a major U.S. services firm’s network for up to two months.
DragonForce, active since at least 2023, operates on a ransomware-as-a-service model, providing affiliates with tools and services in exchange for a portion of the ransom payments. In this instance, the group utilized Backdoor.Turn to exploit Microsoft’s Traversal Using Relays around NAT (TURN) protocol, which is integral to Teams’ functionality. By obtaining an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, the malware established a connection through a legitimate Microsoft TURN relay, subsequently initiating a QUIC session to the attackers’ actual C2 server. This method effectively disguised malicious traffic as legitimate Teams communication, complicating detection efforts.
The initial breach occurred in December 2025, with the attackers likely exploiting vulnerabilities in SQL or MS-SQL servers to gain access. Once inside, they executed a PowerShell command to deploy a ZIP archive masquerading as a tech support hotfix. This archive facilitated a DLL side-loading attack, enabling the execution of a rogue DLL responsible for reconnaissance, establishing persistence, and disabling security software using a vulnerable Huawei driver. This ‘bring your own vulnerable driver’ (BYOVD) technique has been previously observed in large-scale malvertising campaigns targeting U.S. individuals seeking tax-related documents.
Notably, Backdoor.Turn was injected into the legitimate ‘DbgView64.exe’ process after the deployment of the DragonForce ransomware, indicating an intent to maintain prolonged access to the compromised system for future exploitation or potential resale. The backdoor’s capabilities are extensive, encompassing command execution, process creation, network scanning, LDAP and Active Directory searches, credential-based lateral movement, and browser credential theft.
This incident underscores the evolving tactics of ransomware groups, highlighting their ability to exploit trusted platforms like Microsoft Teams to evade detection. Organizations must remain vigilant, ensuring robust monitoring of network traffic and implementing comprehensive security measures to detect and mitigate such sophisticated threats.
