SQ Magazine

Smarter Insights for a Fast-Moving Digital World

Hackers Abuse Microsoft Teams to Conceal Ransomware Activity

Published on: June 16, 2026
As Featured In
The New York Times LogoForbes LogoWired LogoDeloitte LogoResearch.com Logo

Cybersecurity researchers have uncovered a sophisticated DragonForce ransomware attack in which hackers used Microsoft Teams infrastructure to hide malicious communications and evade detection.

Quick Summary – TLDR:

  • DragonForce ransomware operators used a custom malware called Backdoor.Turn to conceal command and control traffic.
  • The malware abused Microsoft Teams TURN relay infrastructure, making malicious activity appear as legitimate Teams traffic.
  • Researchers say this is the first known real world case of malware exploiting Teams relays for command and control communications.
  • The attack also featured advanced defense evasion techniques, including vulnerable driver exploitation and custom malware tools.

What Happened?

Researchers at Symantec have detailed a highly sophisticated DragonForce ransomware campaign targeting a major U.S. services company. The attackers used a previously unseen remote access trojan called Backdoor.Turn that leveraged Microsoft Teams relay infrastructure to disguise communications with attacker controlled servers.

Because the traffic appeared to be associated with legitimate Microsoft Teams services, security teams had little visibility into the malicious activity occurring within the victim’s network.

Attackers Hid Malicious Traffic Inside Microsoft Teams

The most significant aspect of the attack was the use of Backdoor.Turn, a custom Go based remote access backdoor designed to blend malicious traffic with trusted Microsoft services.

The malware obtains an anonymous Teams visitor token through Microsoft’s Skype backed identity services and uses a legitimate Microsoft TURN relay server during connection setup. Once the connection is established, the malware creates a QUIC session with the attackers’ command and control infrastructure.

As a result, defenders monitoring network activity would only observe connections to legitimate Microsoft Teams servers rather than attacker controlled systems.

According to Symantec:

Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams’ TURN relay servers to mask command-and-control traffic.

Symantec

Researchers noted that while the concept was demonstrated in 2025 through Praetorian’s Ghost Calls research, this is the first documented case of threat actors using the technique in a real attack.

DragonForce Maintained Access for Weeks

The attack began in December 2025 and appears to have started through the exploitation of an unknown vulnerability in an SQL or MSSQL server. Researchers also noted that access may have been acquired through an access broker.

Once inside the network, the attackers deployed a ZIP archive containing a legitimate VirtualBox and DbgView executable alongside a malicious DLL file. Through DLL side loading and DLL hijacking techniques, the attackers were able to execute malicious code while appearing legitimate.

The threat actors remained inside the victim environment for approximately one to two months, carrying out reconnaissance, persistence activities, and defense evasion before deploying ransomware.

To strengthen their foothold, the attackers:

  • Created rogue user accounts.
  • Modified firewall rules.
  • Used the Windows LimitBlankPassword policy to simplify future access.
  • Established multiple methods of persistence across compromised systems.
Newsletter
Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

Advanced Defense Evasion Techniques

The campaign showcased a high level of technical sophistication through the use of Bring Your Own Vulnerable Driver (BYOVD) techniques.

The attackers exploited several signed but vulnerable drivers to gain kernel level privileges and disable security software. These included:

  • Huawei HWAuidoOs2Ec.sys
  • Topaz Antifraud wsftprm.sys
  • Tower of Fantasy Gamedriverx64.sys
  • K7 Security K7RKScan.sys

Researchers highlighted a particularly notable technique called Havoc Process Terminator, which leveraged Huawei’s HWAuidoOs2Ec.sys driver in a manner not previously observed in real world attacks.

The group also deployed ABYSSWORKER, a custom malicious driver disguised as a legitimate Palo Alto Networks driver. Unlike traditional BYOVD attacks that rely on vulnerable legitimate drivers, ABYSSWORKER was specifically built for malicious purposes.

Backdoor.Turn Offered Broad Espionage Capabilities

Backdoor.Turn was injected into the legitimate DbgView64.exe process, helping it remain hidden from security tools.

The malware provided attackers with extensive capabilities, including:

  • Command execution and process creation.
  • Network scanning and reconnaissance.
  • TLS certificate collection.
  • Website title harvesting.
  • LDAP and Active Directory searches.
  • Browser credential theft.
  • Credential based lateral movement.

Researchers believe the malware was deployed after ransomware execution, suggesting it may have been intended to maintain long term access or potentially be resold to other cybercriminal groups.

DragonForce Continues to Evolve

DragonForce has been active since at least 2023 and has evolved from a traditional ransomware as a service operation into a more structured cartel style organization. The group has also been linked to the notorious Scattered Spider threat ecosystem.

Researchers said the campaign demonstrates an exceptional level of expertise and operational maturity. The combination of custom malware development, advanced defense evasion techniques, and abuse of trusted enterprise infrastructure highlights the growing sophistication of modern ransomware operations.

SQ Magazine Takeaway

I think this attack is a warning sign for security teams everywhere. For years, defenders have focused on spotting suspicious domains and unusual network connections. DragonForce showed that attackers can now hide inside services organizations trust every day. When malicious traffic looks exactly like Microsoft Teams traffic, traditional monitoring becomes much less effective. This campaign demonstrates how quickly ransomware groups are innovating, and why organizations must move beyond simple network based detection to identify advanced threats.

This article has been reviewed and fact-checked by Robert A. Lee. SQ Magazine follows strict Publishing Principles and a documented Fact-Check Policy to ensure accuracy, transparency, and editorial independence across all content.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News

References

Sofia Ramirez

Sofia Ramirez

Senior Tech Writer

Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Related Posts

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Reader Interactions

Leave a Comment

Company
Discover
Categories
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity
Categories
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity