A notorious ransomware group has successfully infiltrated the network of a significant U.S. services firm for as long as two months, leveraging Microsoft Teams to obscure their command and control (C&C) traffic before launching a coordinated attack, according to researchers from Symantec and Carbon Black. The investigation report, released on June 16, reveals the insidious methods employed by these cybercriminals, who ultimately deployed the DragonForce ransomware on the firm’s network.
The attackers utilized a Go-based Remote Access Trojan (RAT) to exploit the TURN relay servers associated with Microsoft Teams. This tactical move allowed them to mask their C&C traffic effectively. Researchers have termed this backdoor as Backdoor.Turn, which cleverly altered the data stream so that security defenses only recognized legitimate outbound connections to Microsoft Teams servers. This sophisticated method not only enabled the hackers to infiltrate the network but also ensured that their activities remained largely undetected.
To initiate the connection, Backdoor.Turn leveraged an anonymous Teams visitor token sourced from Microsoft’s Skype-backed identity services. Subsequently, the attackers utilized a legitimate Microsoft TURN relay to create a secure channel. They ran a session using the QUIC transport layer network protocol, establishing a link between the compromised machine and a server controlled by the attackers. This multi-dimensional approach illustrates the advanced techniques employed in the cyberattack and underscores the potential vulnerabilities within widely-used communication platforms.
Further complicating their concealment efforts, the attackers also exploited an undocumented vulnerability in a Huawei driver during the attack, a flaw that was posthumously detailed by Huntress in March 2026. This additional layer of complexity served to obscure their malicious activities even more by further disguising their presence on the compromised network.
To ensure sustained access to the network, the cybercriminals meticulously modified various configurations and settings. Notably, they removed security measures such as the Limit Blank Password setting, which facilitated easier access to the compromised machines. They also created additional user accounts to maintain or broaden their control over the network and altered firewall rules, ensuring that remote access and C&C communications could function without impediment.
Researchers highlighted the attackers’ use of Backdoor.Turn, which endowed them with a suite of capabilities. These included code execution, network scanning, credential-based lateral movement within the network, and browser credential theft from infected endpoints. This impressive array of tools allowed the cybercriminals to quietly accumulate remote access over time, reinforcing their position within the network and enhancing their ability to carry out further malicious actions.
The adept concealment of C&C traffic within Microsoft Teams played a critical role in the attack’s success. “The attackers in this campaign utilize exceptionally sophisticated cyber tradecraft,” the researchers pointed out. “The configuration of Backdoor.Turn ensures that security products only detect C&C traffic directed towards legitimate Teams servers, leaving defenders oblivious to the fact that data is being illicitly siphoned off by malicious actors.”
This disturbing incident took place in 2025, leading to the deployment of DragonForce ransomware, which allowed the attackers to exfiltrate sensitive data and encrypt the targeted machines. It remains unclear whether the victim ultimately paid the ransom in exchange for the decryption key or whether they persuaded the attackers to delete the data altogether. The researchers speculate that the attack likely began with the exploitation of vulnerabilities in either an SQL or MSSQL server, which facilitated the initial breach.
DragonForce has emerged as one of the most infamous ransomware groups in recent years, representing a significant portion of ransomware incidents. This group has been associated with high-profile attacks on various retailers and other institutions.
The deployment of Backdoor.Turn, coupled with their multi-vector BYOVD evasion strategies, has solidified their position as one of the most capable and persistent ransomware groups currently active. With every sophisticated maneuver, they highlight the essential need for improving cybersecurity measures across organizations, emphasizing the ongoing threat of ransomware and the persistent innovation of cybercriminal tactics in today’s digital landscape.