On June 16, 2026, Symantec published its analysis of Backdoor.Turn, the first documented in-the-wild malware that abuses Microsoft Teams' TURN infrastructure to mask command-and-control traffic. The attack, observed in December 2025 against a major U.S. services firm, demonstrates that operational replication of techniques proven in academic research — in this case, Praetorian's 2025 Ghost Calls proof-of-concept — can occur in under a year, with the vendor still in a reactive posture.
- DragonForce deployed Backdoor.Turn, a Go-based RAT that exploits legitimate Microsoft Teams TURN relays for C2 tunneling
- The malware obtains anonymous visitor tokens from Microsoft's Skype-backed identity services, establishing QUIC sessions to attacker-controlled servers
- The attack was observed in December 2025 against a major U.S. services firm; DragonForce has operated since 2023 with a cartel structure
- Attackers employed multi-driver BYOVD tactics for evasion, using Huawei, Topaz, Tower of Fantasy, K7 Security, and the custom ABYSSWORKER driver
The TURN Mechanism: Why Defenders Saw Nothing
The TURN protocol (Traversal Using Relays around NAT, RFC 5766) is a standard component of Microsoft Teams' real-time communication infrastructure. Backdoor.Turn manipulates this flow in four steps documented by Symantec: it obtains an anonymous visitor token via Microsoft's Skype-backed identity services; creates an allocation on a legitimate platform TURN relay; encapsulates a QUIC session to the attacker's C2 server; the resulting traffic leaves the endpoint as an outbound connection to Microsoft servers, indistinguishable from a legitimate Teams user behind NAT.
The malware's configuration means security products see only C2 traffic directed at legitimate Teams servers, leaving defenders unaware that data is being siphoned away. This is the core of its effectiveness: it is not a vulnerability in Teams, but abuse of trusted infrastructure that bypasses the trust assumptions of network-based defenses.
From Ghost Calls to Operational Weapon: The Speed of Criminal Replication
Symantec explicitly notes that Backdoor.Turn is the first documented in-the-wild malware with this technique, although Praetorian's Ghost Calls proof-of-concept demonstrated it in 2025. The interval between legitimate offensive research and adoption in nation-state or crimeware malware has compressed to months, without the vendor response preceding operational adoption. Symantec researchers describe the attack as characterized by "exceptionally sophisticated cyber tradecraft."
The Go-based malware includes capabilities for command execution, process creation, network scanning, TLS certificate capture, LDAP/AD enumeration, site title harvesting, and browser credential theft. Initial access likely occurred via exploitation of an unknown flaw in SQL/MSSQL servers, followed by rogue user creation, abuse of the LimitBlankPassword policy, and firewall rule modification.
"The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors" — Symantec/Carbon Black researchers, via Infosecurity Magazine
BYOVD as Evasion Art: Five Drivers to Kill Endpoint Security
Attackers employed Bring Your Own Vulnerable Driver (BYOVD) tactics with multiple drivers to terminate security tools: Huawei HWAuidoOs2Ec.sys, Topaz wsftprm.sys (CVE-2023-52271, CVSS 6.5 MEDIUM), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155, CVSS 5.5 MEDIUM), K7 Security K7RKScan.sys (CVE-2025-1055, CVSS 5.6 MEDIUM). Added to these is the custom malicious driver ABYSSWORKER, disguised as a Palo Alto driver. Per NVD, the three CVEs with official scores confirm the medium severity of the exploited vulnerabilities, sufficient for local escalation and termination of protected processes.
The dossier does not specify whether an official CVE exists for the Huawei driver used; Huntress detailed its abuse in March 2026, but the identifier is not cited in the sources examined.
Why This Matters
The brief does not document specific countermeasures released by Microsoft to mitigate TURN abuse, nor endpoint remediation measures advised by the source. The source does not specify the full nature of exfiltrated data, the ransom amount demanded or paid, nor the total scale of the DragonForce campaign with Backdoor.Turn — whether the single known victim or a broader pattern.
What emerges clearly is the operational discontinuity: organizations that rely on Microsoft Teams traffic allow-listing for network security must reassess their trust assumptions. Legitimate TURN relays have become an advanced persistence vector. The source does not indicate whether Microsoft has modified visitor token issuance mechanisms or relay session inspection in response to the campaign.
The case inverts traditional perimeter defense logic: trusted cloud infrastructure is no longer just a target, but a vehicle. Without TLS inspection and behavioral analytics beyond simple Microsoft endpoint allow-listing, malicious traffic remains literally invisible in plain sight.
Who Is DragonForce and Why This Campaign Counts
DragonForce has operated since 2023 with a cartel structure and documented links to the threat group Scattered Spider. The December 2025 attack against the major U.S. services firm represents a tradecraft leap for the group: from conventional ransomware to using cloud infrastructure as a persistence proxy. The shift is not marginal — it signals that criminal groups are replicating nation-state-level sophistication without the time lag that characterized technical diffusion chains in previous years.
The source does not identify the victim by name, nor the specific SQL/MSSQL vulnerability used for initial access. The dossier does not clarify whether DragonForce developed Backdoor.Turn internally or acquired it from access brokers.
Information is based on the cited advisory and current as of publication.
Sources
- https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/
- https://nvd.nist.gov/vuln/detail/CVE-2025-33053
- https://nvd.nist.gov/vuln/detail/CVE-2026-20182
- https://nvd.nist.gov/vuln
- https://docs.vulncheck.com/indices/vulncheck-intelligence
- https://www.infosecurity-magazine.com/news/dragonforce-ransomware-hidden/
- https://www.theregister.com/security/2026/04/25/crime-crew-impersonates-help-desk-abuses-teams-chats/5221505
- https://nvd.nist.gov/vuln/search
- https://nvd.nist.gov/vuln/categories
- https://nvd.nist.gov/vuln/data-feeds
- https://nvd.nist.gov/vuln/vendor-comments
- https://nvd.nist.gov/vuln/cvmap