Threat actors linked to DragonForce ransomware used a custom Go-based backdoor called Backdoor.Turn to hide command and control traffic inside Microsoft Teams relay infrastructure during an intrusion against a major U.S. services firm, according to a technical analysis. The attackers were inside the network for between one and two months.
KEY FACTS
- Victim A major U.S. services firm was targeted, but the company was not named.
- Access Investigators suspect the attackers entered through an SQL or MS-SQL server flaw, or via an initial access broker.
- Stealth The malware used a legitimate Microsoft TURN relay and then opened a QUIC session to its real server.
- Persistence The operation also used DLL side-loading and a Huawei driver to disable security tools.
- Scope The activity began in December 2025 and was the first publicly documented abuse of Microsoft TURN relay infrastructure by the group.
Initial malicious activity began in December 2025, when the attackers ran a PowerShell command that dropped a ZIP file disguised as a tech support hotfix. The archive launched a DLL side-loading chain that ran a rogue DLL for reconnaissance, persistence and security evasion.
The report says the group used a Huawei driver named HWAuidoOs2Ec.sys to silence defenses, a method known as bring your own vulnerable driver. Other drivers associated with the same approach included wsftprm.sys, GameDriverX64.sys, K7RKScan.sys and a custom malicious driver called ABYSSWORKER.
Backdoor.Turn was injected into the legitimate DbgView64.exe process after DragonForce ransomware was deployed. The backdoor can run commands, create processes, scan networks, search LDAP and Active Directory, move laterally with credentials and steal browser credentials.
The disclosure says the malware first requested an anonymous Teams visitor token backed by Skype identity services, then used Microsoft relay infrastructure to connect before establishing a direct QUIC session to the attackers’ server. The technique is meant to make outbound traffic look like ordinary Microsoft Teams communications.
WHY IT MATTERS
The approach shows how ransomware operators can blend into trusted cloud traffic while keeping access to a victim network for longer periods. That makes detection harder for defenders and can increase the risk of follow-on theft, lateral movement or resale of access.