Threat actors affiliated with the DragonForce ransomware have recently been identified utilizing a sophisticated Go-based remote access trojan (RAT) named Backdoor.Turn. This malicious software cleverly disguises its command-and-control (C2) traffic by embedding it within Microsoft Teams’ relay infrastructure, showcasing a novel approach to cyberattacks.
A recent report from Broadcom-owned Symantec and Carbon Black indicates that the backdoor was deployed against a significant services firm in the United States, although the company’s identity remains undisclosed. The methodology behind the backdoor’s operations is notably intricate. According to experts from the Threat Hunter Team, Backdoor.Turn cleverly acquires an anonymous Teams visitor token through Microsoft’s Skype-backed identity services. From there, it utilizes a legitimate Microsoft TURN relay to establish a connection, which ultimately links back to the attackers’ actual C2 server via a QUIC session.
Network defenders are left in the dark as the only observable traffic consists of outbound connections directed toward authentic Microsoft Teams servers. This level of sophistication suggests that the attackers were embedded within the victim’s network for a duration of one to two months, engaging in stealthy maneuvers designed to elude detection.
This incident marks the inaugural publicly recognized case of cybercriminals exploiting Microsoft’s Traversal Using Relays around NAT (TURN) infrastructure. Investigators suspect that the initial breach may have stemmed from a vulnerability within either an SQL or MS-SQL server; however, the precise nature of this flaw remains uncertain. Another possibility is that access could have been secured through an initial access broker (IAB).
The malicious activity on the target system reportedly commenced in December 2025. Attackers executed a PowerShell command to drop a ZIP file disguised as a tech support hotfix. This ZIP file initiated a DLL side-loading attack, effectively launching a rogue DLL responsible for reconnaissance, establishing persistence, and silencing security measures through the use of a Huawei driver known as HWAuidoOs2Ec.sys.
This technique falls under the category known as bring your own vulnerable driver (BYOVD). Notably, this driver had previously been linked to large-scale malvertising campaigns aimed at U.S. users searching for tax-related documents, although this is believed to have occurred following the ransomware incident.
Adding to the attack’s complexity, Backdoor.Turn is executed by appending it to the legitimate process DbgView64.exe after the deployment of the DragonForce ransomware. This tactic indicates an intention to maintain ongoing access to the compromised system for future attacks or potential resale on the cybercriminal market.
The mechanism underlying Backdoor.Turn revolves around a TURN-based communication method, known as Ghost Calls, which was documented in a previous report by Praetorian in August 2024. This backdoor offers a broad spectrum of functionalities, including command execution, process creation, network scanning, and LDAP and Active Directory searches. It is also capable of lateral movement through credential theft from browsers.
According to Symantec and Carbon Black, the backdoor’s operation is initiated by requesting a visitor token from the Microsoft Teams/Skype backend. This token not only facilitates interactions with Teams’ infrastructure but also enables the establishment of outbound connectivity through a legitimate Microsoft TURN relay server. Following this initial setup, the malware creates a direct QUIC session to the malicious C2 server.
These findings illustrate a sophisticated hack group employing advanced cyber tradecraft to carry out high-impact targeted attacks while keeping victims unaware of ongoing data exfiltration. This is particularly significant, given that Hackledorb, the group behind DragonForce, appears to have transitioned from a traditional ransomware-as-a-service (RaaS) model to a meticulously organized cartel structure.
The operational timeline of such attacks reveals a discernible pattern of continuous capability enhancement. Experts note that the adoption of high-level techniques has become a defining feature of their activities post-2025. The introduction of Backdoor.Turn, coupled with their multi-vector BYOVD evasion strategy, firmly positions them as one of the most adept and relentless ransomware groups currently active in the cyber landscape. This alarming evolution raises concerns about the potential for future threats and the need for enhanced security measures across various sectors.