DragonForce Ransomware Is Hiding in Microsoft Teams Traffic

A DragonForce ransomware attack has exposed a new problem for enterprise defenders: attackers are no longer just hiding behind disposable servers and shady domains. They are increasingly blending into the trusted cloud services companies rely on every day.

Broadcom’s Symantec and Carbon Black threat hunters say they found a new Go-based backdoor, tracked as Backdoor.Turn, during an investigation into an attack on a U.S. services company. The malware is notable because it routes command-and-control activity through Microsoft Teams relay infrastructure, making malicious traffic appear to security tools as if it is headed to legitimate Microsoft systems.

That matters because Teams is not some obscure tool sitting at the edge of the business. It is core collaboration infrastructure for many enterprises. Blocking it outright is usually not an option, and attackers know that.

Backdoor.Turn reportedly obtains an anonymous Teams visitor token through Microsoft’s identity infrastructure, uses Microsoft TURN relay services to establish a connection, then communicates with the attacker’s real command server through a QUIC session. Researchers said this appears to be the first known malware family seen abusing Teams TURN relay infrastructure in this way.

The technique marks a step forward for ransomware tradecraft. DragonForce has been active since 2023 and has evolved from a conventional ransomware brand into a more cartel-like operation with affiliates, custom tooling and increasingly sophisticated intrusion playbooks.

In the incident analyzed by Symantec and Carbon Black, the victim appears to have been compromised through a vulnerable SQL or MSSQL server. The attackers may also have bought access from an initial access broker, a common path into corporate networks for ransomware groups.

Once inside, the operators moved methodically. They used DLL sideloading to execute malicious code, pulled down additional payloads, established persistence and mapped the environment. They also used a bring-your-own-vulnerable-driver technique to exploit flaws in signed drivers, gain kernel-level access and shut down security tools.

The ransomware deployment was only one part of the operation. Backdoor.Turn gave the attackers a way to maintain access after encryption, run commands, create processes, scan the network, map Active Directory, move laterally with stolen credentials and harvest browser-stored secrets.

Craig Birch, Principal Technologist at Cayosoft, said the campaign shows how ransomware operators are moving into the gray space between trusted services and malicious abuse.

"This incident shows how ransomware operators are abusing trusted services, not just obvious malicious infrastructure.

Microsoft Teams relay servers help Teams traffic connect when users cannot reach each other directly, often through TURN-based relay infrastructure. A simple example is a Teams call where two users are behind restrictive firewalls or NAT devices. If a direct media path cannot be established, TURN can relay the traffic so the call still works. Because that traffic is expected, encrypted, and commonly allowed, DragonForce was able to make command-and-control activity look like normal Teams communication.

That is the detection challenge. Defenders may only see outbound traffic to Microsoft infrastructure, not a clear connection to attacker-controlled systems. You cannot simply block a business-critical service without breaking the business. The real damage comes after access is gained: account changes, weakened security settings, lateral movement, credential theft, data exfiltration, and ransomware deployment. The relay abuse is cover. It gives attackers more time to operate.

DragonForce has been active since at least 2023 and operates as a ransomware-as-a-service group. The group has claimed responsibility for attacks against several organizations across multiple sectors, though ransomware leak-site claims should still be treated carefully until independently verified. The important pattern is trusted infrastructure abuse, social engineering, identity compromise, data theft, and ransomware pressure.

For defenders, the takeaway is simple: endpoint and network visibility still matter, but so does monitoring identity and configuration change. New accounts, privilege changes, weakened controls, suspicious group membership changes, and unexpected remote access paths may be the clearest signs something is wrong."

The broader lesson is uncomfortable for security teams. Reputation-based defenses and destination allowlists are less useful when attacker traffic is routed through infrastructure that already belongs in the environment. In these cases, the signal may not be the domain contacted. It may be the behavior around it.

That means defenders need to correlate identity changes, endpoint activity, privilege escalation attempts, unusual driver loads, suspicious process creation and unexpected authentication paths. In a cloud-heavy enterprise, the question is no longer just whether traffic is going somewhere malicious. It is whether trusted infrastructure is being used in a way that no normal business workflow would require.

DragonForce’s use of Backdoor.Turn is a warning shot. Ransomware crews are investing in stealth, not just speed. And as attackers hide inside the services companies cannot easily turn off, defenders will have to look less at where traffic goes and more at what the humans, accounts and machines behind it are doing.