Stealth via Infrastructure: How DragonForce Leverages Microsoft Teams TURN Relays for C2
In a sophisticated display of living-off-the-trusted-infrastructure, the DragonForce ransomware group has successfully weaponized Microsoft Teams’ backend architecture to mask malicious command-and-control (C2) traffic. By exploiting the protocol designed to facilitate seamless communication across complex network topologies, these threat actors have pioneered a method of making malicious data exfiltration nearly indistinguishable from standard enterprise collaboration traffic.
The Technical Mechanics of TURN Relay Abuse
Security researchers at Symantec have identified a novel exploitation technique targeting Microsoft Teams’ Traversal Using Relays around NAT (TURN) servers. Typically, TURN servers are utilized to relay media traffic when direct peer-to-peer connections are blocked by restrictive firewalls or NAT configurations. However, DragonForce has repurposed this mechanism to create a stealthy tunnel for their communications.
At the heart of this operation is a bespoke, Go-based Remote Access Trojan (RAT) designated as Backdoor.Turn. The malware’s lifecycle begins by leveraging Skype-based identity services—integral to the Microsoft Teams ecosystem—to acquire anonymous visitor tokens. With these tokens, the malware establishes outbound connections through official Microsoft TURN relays. Once the relay is established, Backdoor.Turn initiates a QUIC-based session (Quick UDP Internet Connections) with the attacker’s C2 infrastructure. Because the traffic originates from trusted Microsoft IP ranges and utilizes protocols standard to Teams’ media streaming, traditional signature-based NIDS (Network Intrusion Detection Systems) and behavioral analytics often fail to trigger alerts.
This marks a significant milestone in adversarial evolution, representing the first documented real-world instance of TURN infrastructure being abused for high-stealth C2 operations.
Figure 1: Detailed Attack Chain Analysis (Source: Symantec)
The Intrusion Lifecycle: From Initial Access to Kernel Evasion
The breach likely originated via an unpatched SQL or MSSQL vulnerability, or potentially through a pre-established foothold purchased from an Initial Access Broker (IAB).
Once inside the perimeter, the actors employed several layers of defense evasion:
- DLL Side-Loading: Attackers deployed a malicious ZIP archive containing a legitimate VirtualBox executable. By placing a specially crafted DLL in the same directory, they successfully hijacked the application’s execution flow, allowing the payload to run under the context of a trusted process.
- Persistence Mechanisms: The group implemented several “low-and-slow” persistence tactics, including the creation of unauthorized user accounts, modifying firewall rules, and enabling blank password authentication to facilitate easy re-entry.
- Advanced Reconnaissance: Using tools like ADExplore and Netscan, the actors meticulously mapped the Active Directory environment to identify high-value targets for lateral movement.
Kernel-Level Defense Evasion (BYOVD)
One of the most alarming aspects of this campaign is the use of the Bring Your Own Vulnerable Driver (BYOVD) technique. By installing signed but flawed drivers, the attackers were able to escalate privileges and terminate EDR (Endpoint Detection and Response) processes at the kernel level. They specifically exploited vulnerabilities such as CVE-2023-52271 and CVE-2025-1055.
Notably, the researchers observed the exploitation of a Huawei driver, HWAuidoOs2Ec.sys, dubbed the “Havoc Process Terminator”—a technique previously unseen in active combat. Furthermore, they deployed a custom driver named Abyss Worker, which was disguised as a legitimate Palo Alto Networks component, demonstrating a high level of investment in sophisticated, deceptive tooling.
Conclusion and Attribution
The final stage of the attack involved the execution of the DragonForce ransomware, leading to widespread data exfiltration and system encryption. Interestingly, Backdoor.Turn was often deployed after the encryption phase, suggesting its primary function is to serve as a long-term “sleeper” backdoor for future access.
The technical architecture of Backdoor.Turn draws inspiration from the “Ghost Calls” methodology—a concept popularized at Black Hat 2025—which focuses on the exploitation of legitimate communication platforms for covert channels. Security intelligence attributes this campaign to the DragonForce group (also known as Hackledorb). Their transition from a standard Ransomware-as-a-Service (RaaS) model to a highly structured, resource-rich cybercriminal cartel underscores the growing threat posed by targeted, infrastructure-aware adversaries.