Do Son 
At a glance
| Malware family | Backdoor.Turn (Go-based RAT) |
| Threat actor | DragonForce ransomware, developed by Hackledorb (Symantec attribution) |
| Target / victims | A major U.S. services firm; attackers dwelled one to two months |
| Delivery vector | Likely SQL/MSSQL exploit or broker access; DLL side-loading via a signed VirtualBox/DbgView app |
| Key capabilities | Teams TURN relay C2 over QUIC, BYOVD evasion, AD/LDAP recon, credential theft, lateral movement |
| Source | Symantec Carbon Black Threat Hunter Team (Thibaut Passilly) |
TL;DR
Symantec has uncovered Backdoor.Turn, a Microsoft Teams backdoor that hides its command-and-control traffic inside Microsoft’s own relay servers. DragonForce ransomware operators used it against a major U.S. services firm. Researchers call it the first malware to abuse Teams TURN relays this way. The attackers stayed hidden for one to two months.
Delivery: a signed app loads a malicious DLL
The intrusion began in December 2025. Attackers likely exploited a flaw in an SQL or MSSQL server, though the exact bug stays unknown. Symantec notes they may instead have bought access from a broker. Once inside, they pulled down a ZIP archive. It held a legitimate, signed VirtualBox/DbgView executable paired with a malicious DLL. The signed program then side-loaded that DLL. This DLL hijacking ran attacker code under a trusted process with high privileges.
How the attack unfolds
After the foothold, the operators settled in for the long haul. They stayed on the network for one to two months. To keep access, they weakened password policy, added rogue accounts, and changed firewall rules. For defense evasion, they brought their own vulnerable drivers. The set abused flaws tracked as CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055. They also exploited a Huawei audio driver in a novel “Havoc Process Terminator” technique. That driver was not publicly known as vulnerable at the time. Huntress documented its weakness only after the attack. The group even ran a custom malicious driver disguised as a Palo Alto product. With defenses down, it deployed DragonForce ransomware to steal and encrypt data.
Hiding C2 inside Microsoft Teams
The standout tool is the Microsoft Teams backdoor itself. The malware injects into DbgView64.exe for stealth. First, it requests an anonymous Teams “visitor” token from Microsoft’s Skype-backed identity services. Then it uses a legitimate Microsoft TURN relay to set up the link. Finally, it opens a QUIC session to the real attacker C2. As Symantec puts it, the “only traffic they could see was outbound connections to legitimate Microsoft Teams servers.” Because the channel rides trusted Microsoft IP space, no rogue domain appears in network logs. That makes the traffic hard to profile. The approach draws on the Ghost Calls technique shown at Black Hat 2025. Backdoor.Turn can run commands, scan networks, search Active Directory, steal browser credentials, and move laterally.
Detection and defense guidance
This Microsoft Teams backdoor blends with normal Teams traffic, so signature rules alone fall short. Microsoft IP ranges are widely allowlisted, so reputation-based tools may miss it. Hunt for unexpected processes opening Teams visitor sessions or TURN connections. Flag QUIC sessions that follow Teams relay setup from non-Teams binaries. Block known vulnerable drivers and turn on driver blocklists. Audit sudden firewall, account, and password-policy changes. Reset browser-stored credentials on any affected host.
Attribution is firm. Symantec ties the campaign to DragonForce, a group it tracks as Hackledorb. Some researchers also link DragonForce to the Scattered Spider crew. The operation has shifted from ransomware-as-a-service toward a cartel-style structure. For the full technical write-up, see Symantec’s analysis of the DragonForce Teams backdoor. Custom tooling like this signals a capable, persistent adversary.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
