--- title: "Hackers Abuse Microsoft Teams to Conceal Ransomware Activity" date: 2026-06-16 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/06/hackers-abuse-microsoft-teams-to-conceal-ransomware.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "News" url: "/tag/news.md" --- # Hackers Abuse Microsoft Teams to Conceal Ransomware Activity Cybersecurity researchers have uncovered a sophisticated DragonForce ransomware attack in which hackers used Microsoft Teams infrastructure to hide malicious communications and evade detection. ## Quick Summary – TLDR: - DragonForce ransomware operators used a custom malware called Backdoor.Turn to conceal command and control traffic. - The malware abused Microsoft Teams TURN relay infrastructure, making malicious activity appear as legitimate Teams traffic. - Researchers say this is the first known real world case of malware exploiting Teams relays for command and control communications. - The attack also featured advanced defense evasion techniques, including vulnerable driver exploitation and custom malware tools. ## What Happened? Researchers at Symantec have detailed a highly sophisticated DragonForce ransomware campaign targeting a major U.S. services company. The attackers used a previously unseen remote access trojan called **Backdoor.Turn** that leveraged Microsoft Teams relay infrastructure to disguise communications with attacker controlled servers. Because the traffic appeared to be associated with legitimate **Microsoft Teams services**, security teams had little visibility into the malicious activity occurring within the victim’s network. > [\#NEW](https://x.com/hashtag/NEW?src=hash&ref_src=twsrc%5Etfw) – Hidden in Teams: DragonForce Attackers Weaponize Microsoft Teams Relays to Stay Hidden – To our knowledge this is the first time TURN relay infrastructure has been abused this way in the wild. Read more: [pic.twitter.com/V4vKRIcdwj](https://t.co/V4vKRIcdwj) > > — Threat Intelligence (@threatintel) [June 16, 2026](https://x.com/threatintel/status/2066834849030078907?ref_src=twsrc%5Etfw) ## Attackers Hid Malicious Traffic Inside Microsoft Teams The most significant aspect of the attack was the use of **Backdoor.Turn**, a custom Go based remote access backdoor designed to blend malicious traffic with trusted Microsoft services. The malware obtains an anonymous Teams visitor token through Microsoft’s Skype backed identity services and uses a legitimate Microsoft **TURN** relay server during connection setup. Once the connection is established, the malware creates a QUIC session with the attackers’ command and control infrastructure. As a result, defenders monitoring network activity would only observe connections to legitimate Microsoft Teams servers rather than attacker controlled systems. According to Symantec: “ Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams’ TURN relay servers to mask command-and-control traffic. Symantec Researchers noted that while the concept was demonstrated in 2025 through Praetorian’s Ghost Calls research, this is the first documented case of threat actors using the technique in a real attack. ## DragonForce Maintained Access for Weeks The attack began in December 2025 and appears to have started through the exploitation of an unknown vulnerability in an **SQL** or **MSSQL** server. Researchers also noted that access may have been acquired through an access broker. Once inside the network, the attackers deployed a ZIP archive containing a legitimate **VirtualBox** and DbgView executable alongside a malicious DLL file. Through DLL side loading and DLL hijacking techniques, the attackers were able to execute malicious code while appearing legitimate. The threat actors remained inside the victim environment for approximately one to two months, carrying out reconnaissance, persistence activities, and defense evasion before deploying ransomware. To strengthen their foothold, the attackers: - **Created rogue user accounts.** - **Modified firewall rules.** - **Used the Windows LimitBlankPassword policy to simplify future access.** - **Established multiple methods of persistence across compromised systems.** ## Advanced Defense Evasion Techniques The campaign showcased a high level of technical sophistication through the use of **Bring Your Own Vulnerable Driver (BYOVD)** techniques. The attackers exploited several signed but vulnerable drivers to gain kernel level privileges and disable security software. These included: - **Huawei HWAuidoOs2Ec.sys** - **Topaz Antifraud wsftprm.sys** - **Tower of Fantasy Gamedriverx64.sys** - **K7 Security K7RKScan.sys** Researchers highlighted a particularly notable technique called **Havoc Process Terminator**, which leveraged Huawei’s **HWAuidoOs2Ec**.**sys** driver in a manner not previously observed in real world attacks. The group also deployed **ABYSSWORKER**, a custom malicious driver disguised as a legitimate Palo Alto Networks driver. Unlike traditional BYOVD attacks that rely on vulnerable legitimate drivers, **ABYSSWORKER** was specifically built for malicious purposes. ## Backdoor.Turn Offered Broad Espionage Capabilities **Backdoor.Turn** was injected into the legitimate **DbgView64.exe** process, helping it remain hidden from security tools. The malware provided attackers with extensive capabilities, including: - **Command execution and process creation.** - **Network scanning and reconnaissance.** - **TLS certificate collection.** - **Website title harvesting.** - **LDAP and Active Directory searches.** - **Browser credential theft.** - **Credential based lateral movement.** Researchers believe the malware was deployed after [ransomware](https://sqmagazine.co.uk/ransomware-statistics/) execution, suggesting it may have been intended to maintain long term access or potentially be resold to other [cybercriminal groups](https://sqmagazine.co.uk/cybercrime-statistics/). ## DragonForce Continues to Evolve DragonForce has been active since at least 2023 and has evolved from a traditional ransomware as a service operation into a more structured cartel style organization. The group has also been linked to the notorious Scattered Spider threat ecosystem. Researchers said the campaign demonstrates an exceptional level of expertise and operational maturity. The combination of custom malware development, advanced defense evasion techniques, and abuse of trusted enterprise infrastructure highlights the growing sophistication of modern ransomware operations. ## SQ Magazine Takeaway I think this attack is a warning sign for security teams everywhere. For years, defenders have focused on spotting suspicious domains and unusual network connections. DragonForce showed that attackers can now hide inside services organizations trust every day. When malicious traffic looks exactly like [Microsoft Teams](https://sqmagazine.co.uk/microsoft-teams-statistics/) traffic, traditional monitoring becomes much less effective. This campaign demonstrates how quickly ransomware groups are innovating, and why organizations must move beyond simple network based detection to identify advanced threats.