DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

Live updates

1. 1h ago

   DragonForce Uses Backdoor.Turn to Hide C2 Traffic via Microsoft Teams Relays

   DragonForce ransomware attackers are using a custom Go-based RAT called Backdoor.Turn to mask command-and-control traffic. The malware abuses Microsoft Teams TURN relay servers to bypass security defenses. This technique allowed attackers to maintain undetected access to a major U.S. services firm for two months.

   What's confirmed:

   • DragonForce attackers use a custom Go-based remote access trojan named Backdoor.Turn.
   • Backdoor.Turn is the first known malware to abuse Microsoft Teams TURN relay servers to mask command-and-control traffic.
   • The campaign targeted a major U.S. services firm.
   • The attackers used a previously unknown vulnerability in a Huawei driver.
   • Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft's Skype-backed identity services to set up the connection.
   • The operation maintained undetected access for up to two months within a U.S. services firm.
   • The attack involved DLL sideloading and Bring Your Own Vulnerable Driver attacks.
   confidence 90%
2. 2d ago

   DragonForce Hackers Use Microsoft Teams Relays to Conceal C2 Traffic

   DragonForce ransomware attackers are leveraging Microsoft Teams relay systems to hide command-and-control traffic. This method allows them to weaponize the platform to stay hidden during attacks. One instance involved an attack against a major company.

   What's confirmed:

   • DragonForce attackers use Microsoft Teams relays to hide command-and-control traffic.
   • The group leverages Microsoft Teams to deploy DragonForce ransomware.
   • DragonForce used Microsoft Teams to hide an attack against a major company.
   confidence 100%