Ethical Hacking News
Threat actors associated with the DragonForce ransomware group have been found abusing Microsoft Teams relay infrastructure to hide backdoors and evasion techniques. The discovery highlights the sophistication of modern hacking groups and underscores the importance of staying vigilant in network defense.
The DragonForce ransomware group has been found abusing Microsoft Teams relay infrastructure to hide backdoors and evasion techniques. A custom Go-based remote access trojan (RAT) called Backdoor.Turn is used to deploy malicious payload within compromised networks. The RAT obtains an anonymous Teams visitor token to interact with Teams-associated infrastructure via a legitimate Microsoft TURN relay. The technique enables the malware to establish a direct QUIC session to the attacker's real C2 server, evading detection. This is the first publicly documented instance of threat actors abusing Microsoft's Traversal Using Relays around NAT (TURN) infrastructure for this purpose. The attackers use various malicious drivers and an attack technique called bring your own vulnerable driver (BYOVD) to evade detection. Backdoor.Turn is injected into the legitimate "DbgView64.exe" process to maintain continued access to compromised hosts. The deployment of Backdoor.Turn highlights the evolution of hacking groups from RaaS models to highly organized cartel structures.
A recent discovery by Broadcom-owned Symantec and Carbon Black has shed light on a sophisticated hacking technique employed by threat actors associated with the DragonForce ransomware group. The technique involves abusing Microsoft Teams' relay infrastructure to conceal command-and-control (C2) traffic, thereby hiding backdoors and evasion mechanisms from network defenders.
According to findings, the hackers utilize a custom Go-based remote access trojan (RAT) called Backdoor.Turn to deploy their malicious payload within the compromised network. The RAT is designed to obtain an anonymous Teams visitor token from Microsoft's Skype-backed identity services, which it then uses to interact with Teams-associated infrastructure via a legitimate Microsoft TURN relay. This relay-assisted setup enables the malware to establish a direct QUIC session to the attacker's real C2 server, thereby evading detection.
The deployment of Backdoor.Turn marks the first publicly documented instance of threat actors abusing Microsoft's Traversal Using Relays around NAT (TURN) infrastructure for this purpose. The technique is notable not only for its sophistication but also for the extent of the attack vectors involved. The hackers have been observed using a variety of malicious drivers, including wsftprm.sys (CVE-2023-52271), GameDriverX64.sys (CVE-2025-61155), and K7RKScan.sys (CVE-2025-1055), to evade detection.
The attackers also employ an attack technique called bring your own vulnerable driver (BYOVD) to compromise the compromised host. This technique involves injecting malicious drivers into legitimate processes, thereby maintaining continued access to the compromised host for later attacks or reselling it for profit.
Furthermore, the findings highlight the execution of Backdoor.Turn by injecting it into the legitimate "DbgView64.exe" process after the DragonForce ransomware has been deployed. This suggests an attempt to maintain continued access to the compromised host for later attacks or reselling it for profit. The backdoor's underlying TURN-based mechanism leans on a stealthy C2 communication technique called Ghost Calls, which was documented by Praetorian in August 2024.
The deployment of Backdoor.Turn also underscores the evolution of hacking groups from conventional ransomware-as-a-service (RaaS) models to highly organized and formalized cartel structures. The operational timeline reveals a pattern of continuous capability development, with the adoption of highly advanced techniques becoming a hallmark of their post-2025 activity.
In conclusion, the recent discovery of Backdoor.Turn highlights the sophistication and stealth of modern hacking groups. By leveraging Microsoft Teams' relay infrastructure to conceal C2 traffic, these actors demonstrate a clear understanding of the underlying technology. As such, it is crucial for network defenders to remain vigilant and stay up-to-date with the latest threat intelligence to effectively detect and respond to such attacks.
Threat actors associated with the DragonForce ransomware group have been found abusing Microsoft Teams relay infrastructure to hide backdoors and evasion techniques. The discovery highlights the sophistication of modern hacking groups and underscores the importance of staying vigilant in network defense.
Related Information:
https://www.ethicalhackingnews.com/articles/Exposing-the-Shadows-How-Hackers-Leverage-Microsoft-Teams-to-Hide-Backdoors-and-Evasion-Techniques-ehn.shtml
https://thehackernews.com/2026/06/dragonforce-hackers-abuse-microsoft.html
Published: Thu Jun 18 09:48:16 2026 by llama3.2 3B Q4_K_M
