Ethical Hacking News
DragonForce, a notorious cybercrime group, has been hiding in plain sight within Microsoft Teams infrastructure for months. Using an ingenious tactic to evade detection, they abused the TURN relay infrastructure to mask their C2 activity. This is the first known instance of such abuse in the wild. The group's sophistication and expertise are evident in its use of a custom tool as complex as Backdoor.Turn. Stay informed about emerging threats and tactics with our newsletter.
DragonForce, a notorious cybercrime group, hid in plain sight within Microsoft Teams infrastructure. The attackers used a custom backdoor called Backdoor.Turn to obtain an anonymous Microsoft Teams visitor token and set up a connection with their real C2 server. The technique was inspired by the Ghost Calls method presented at Black Hat in 2025, but adapted for the Microsoft Teams environment. Backdoor.Turn was able to execute commands, scan networks, and pull passwords from browsers, allowing the attackers to maintain persistence for a follow-up intrusion or sell access to other attackers. The group's tactics have evolved since 2023, moving from ransomware-as-a-service to a cartel structure.
DragonForce, a notorious cybercrime group, has been hiding in plain sight for months within Microsoft Teams infrastructure. The attackers, who have been active since at least 2023, used an ingenious tactic to evade network detection and mask their Command-and-Control (C2) activity.
According to a report published by Symantec, the group's custom backdoor, dubbed Backdoor.Turn, was able to obtain an anonymous Microsoft Teams visitor token, which it then used to set up a connection with the attacker's real C2 server. This was achieved through a legitimate Microsoft TURN relay, making the traffic look like normal Teams activity to defenders.
The report states that this is the first time the TURN relay infrastructure has been abused in the wild, and it's particularly noteworthy that the attackers used a custom tool as sophisticated as Backdoor.Turn. The technique used by DragonForce was inspired by the Ghost Calls method presented at Black Hat in 2025, which focused on C&C communication that's hard to profile from the network side.
The backdoor is written in Go and injected into the legitimate DbgView64.exe process, allowing it to execute commands, scan networks, map Active Directory, move laterally with stolen credentials, and pull passwords from browsers. The attackers gained access through an unknown vulnerability in an SQL or MSSQL server, possibly purchased from a broker.
Once inside, they dropped a .zip archive containing a legitimate VirtualBox executable paired with a malicious DLL designed to sideload and fetch additional payloads from remote servers. To evade detection, DragonForce used the Bring Your Own Vulnerable Driver (BYOVD) technique against multiple signed drivers, including a novel attack on Huawei's HWAuidoOs2Ec.sys driver.
The group has been evolving its tactics since 2023, moving from a traditional ransomware-as-a-service model to a cartel structure. Backdoor.Turn gets installed after the ransomware runs, suggesting that the group is maintaining persistence for a follow-up intrusion or selling access to other attackers.
Symantec's report concludes that "the configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors." This highlights the exceptional sophistication and expertise displayed by DragonForce in executing its campaign.
The incident serves as a reminder of the importance of vigilance and proactive measures in detecting and mitigating advanced threats. It also underscores the need for cybersecurity professionals to stay informed about emerging techniques and tactics used by sophisticated adversaries like DragonForce.
Related Information:
https://www.ethicalhackingnews.com/articles/DragonForces-Sophisticated-Hacking-Campaign-Unmasked-A-Deep-Dive-into-Microsoft-Teams-Exploit-ehn.shtml
https://securityaffairs.com/193801/security/dragonforce-hid-inside-microsoft-teams-and-nobody-noticed-for-two-months.html
Published: Thu Jun 18 01:25:09 2026 by llama3.2 3B Q4_K_M
