DragonForce Hid Malware C2 in Microsoft Teams TURN Relays
Symantec reported that the DragonForce ransomware operation used a custom Go-based backdoor, Backdoor.TURN, to hide command-and-control traffic inside Microsoft Teams TURN relay infrastructure during an intrusion at a major U.S. services company. Researchers said the attackers likely gained initial access in December 2025 by exploiting an unknown SQL or MSSQL server flaw or through an initial access broker, then used DLL sideloading, reconnaissance, credential theft, lateral movement, rogue account creation, and firewall changes while remaining undetected for as long as two months. The malware reportedly obtained an anonymous visitor token through Microsoft’s Skype-linked identity services, authenticated to Teams infrastructure, relayed traffic through TURN servers, and then established a QUIC session to the real C2 server.
The intrusion escalated through extensive defense evasion and privilege abuse, including Bring Your Own Vulnerable Driver techniques and use of multiple vulnerable or malicious drivers such as Huawei’s HWAuidoOs2Ec.sys and the custom Abyss Worker driver, alongside drivers tied to CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055. Symantec said the operators used kernel-level access to disable security tools, stole data, and ultimately deployed DragonForce ransomware to encrypt the victim’s systems. Researchers described the campaign as the first known real-world abuse of Microsoft Teams TURN relays for covert C2 and published indicators of compromise to help defenders detect similar attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Symantec links DragonForce activity to Hackledorb
In reporting on the intrusion, Symantec assessed that the increasingly sophisticated tradecraft was tied to Hackledorb, identifying it as the actor behind DragonForce. This attribution accompanied technical details on Backdoor.Turn and Microsoft Teams TURN relay abuse.
Symantec publishes findings and indicators of compromise
Symantec disclosed the campaign and published indicators of compromise to help defenders detect and block similar attacks. The report detailed the use of Backdoor.Turn, Teams TURN relay abuse, and BYOVD techniques in the DragonForce intrusion.
DragonForce operators deploy ransomware after theft and evasion
After reconnaissance, credential theft, lateral movement, and data theft, the attackers used vulnerable and malicious drivers to disable security tools and then deployed DragonForce ransomware to encrypt the victim's systems. The intrusion reportedly remained undetected for up to two months.
Attackers abuse Microsoft Teams TURN relays for covert C2
During the intrusion, the operators deployed the custom Go-based malware Backdoor.Turn to hide command-and-control traffic inside Microsoft Teams TURN relay infrastructure. Symantec described this as the first known in-the-wild abuse of Microsoft Teams TURN relays for malware C2.
DragonForce intrusion begins at major U.S. services company
Symantec reported that a DragonForce ransomware intrusion against a major U.S. services company began in December 2025, likely through exploitation of an unknown SQL or MSSQL server vulnerability or via an initial access broker. The attackers then established persistence and began operating inside the environment.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Вымогатели используют серверы Microsoft Teams для сокрытия трафика - Хакер
xakep.ru
Open sourceDragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
thehackernews.com
Open sourceDragonForce Ransomware Abused Microsoft Teams to Hide Malware Activity
hackread.com
Open sourceAttackers drop DragonForce ransomware leveraging MS Teams relay systems | news | SC Media
scworld.com
Open sourceHackers Weaponize Microsoft Teams Relay to hide Malware Traffic
cybersecuritynews.com
Open sourceCybercriminals mask malicious communications through Microsoft Teams relays - Help Net Security
helpnetsecurity.com
Open sourceRansomware gang abuses Microsoft Teams relays to hide malicious traffic
bleepingcomputer.com
Open sourceCrooks found a new way to collaborate using Teams - by hiding command-and-control traffic
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
DragonForce Ransomware Operations and High-Profile Breaches
DragonForce, a ransomware group that has evolved into a self-described "ransomware cartel," has intensified its global operations, targeting organizations with advanced tactics and forming alliances with other cybercriminal collectives. Security researchers have detailed how DragonForce leverages vulnerable drivers such as `truesight.sys` and `rentdrv2.sys` to disable security software and has improved its encryption methods to address previously exploited vulnerabilities. The group, which began by using the LockBit 3.0 builder and later adopted a modified Conti v3 source code, now operates a ransomware-as-a-service (RaaS) model, offering affiliates a significant share of profits and customizable tools to attract new participants. Notably, DragonForce has collaborated with groups like Scattered Spider and has been linked to the compromise of major organizations, including a high-profile breach of Marks & Spencer. Recently, DragonForce claimed responsibility for a significant breach at Mobilelink USA, a major dealer for Cricket Wireless, exfiltrating 5.04 TB of data and threatening to leak sensitive information, including personally identifiable and financial data of millions of customers across 21 states. The group has also reportedly allied with other ransomware gangs such as Qilin and LockBit, and has taken over operations or leak sites from other ransomware groups like RansomHub, BlackLock, and Mamona. In 2025 alone, DragonForce has impacted at least 185 organizations, with most attacks occurring in the last six months, underscoring the growing threat posed by this increasingly organized and aggressive ransomware operation.
Mar 21, 2026
DragonForce affiliates intensify UK ransomware campaign using edge-device exploits
DragonForce affiliates sustained a broad ransomware and extortion campaign against UK organizations in May 2026, publicly naming seven UK victims on the group’s Tor leak site and posting 22 victims globally in a single day, including four UK firms. Reported victims spanned professional services, finance, logistics, construction, technology, and luxury retail, underscoring the group’s opportunistic targeting rather than a focus on one vertical. Helix International drew particular concern because of its role as a managed service provider with medium, large, and Fortune 500 clients, raising the risk of downstream compromise across customer environments. Public reporting and curated intrusion data tie DragonForce activity to exploitation of exposed remote access and internet-facing systems, including Ivanti Connect Secure, FortiOS, FortiProxy, SonicOS SSL-VPN, Apache Log4j, Microsoft SmartScreen, and SimpleHelp RMM vulnerabilities. Tooling observed in DragonForce-linked intrusions includes utilities for discovery, remote management, credential theft, defense evasion, LOLBAS abuse, and exfiltration, while affiliates have also been linked to **BYOVD** techniques to disable or bypass EDR and antivirus protections. Prior reporting further connected DragonForce affiliates attributed to **Scattered Spider** to attacks on major UK retailers including **M&S, Co-op, and Harrods**.
Jun 18, 2026
DragonForce Ransomware Expands RaaS Operations With Dual-Extortion and a “Cartel” Affiliate Model
**DragonForce**, a ransomware-as-a-service (RaaS) operation that emerged in 2023, has been linked to a growing set of intrusions targeting “critical business” environments across multiple industries, with a focus on **manufacturing, business services, technology, and construction**. Reporting attributes the group with **dual-extortion** tactics—stealing data prior to encryption and then threatening publication on a **data leak site (DLS)** to increase pressure on victims. Researchers also describe DragonForce as operationally adaptable, including changes in how it hosts and organizes leaked victim data. LevelBlue analysis cited in reporting indicates DragonForce has evolved its business approach beyond a typical affiliate program into a **“cartel” model**, allowing member groups to operate under their own brands while leveraging shared DragonForce infrastructure and services. Described offerings to affiliates include large-scale storage, continuous server monitoring, support services around file analysis/decryption, and assistance with test attacks; LevelBlue also highlighted an “**Company Data Audit**” service intended to help affiliates value stolen data and shape negotiation pressure (including prepared communications such as scripts and executive-facing letters). The group’s tooling is described as **multi-platform**, with the ability to target **Windows, Linux, ESXi, BSD, and NAS** systems and to use different encryption modes (e.g., full, header, partial), increasing potential impact across enterprise and virtualized environments.
Mar 21, 2026