DragonForce Ransomware Group Abuses Microsoft Teams TURN Servers for Covert Command and Control

Executive Summary

The DragonForce ransomware group has demonstrated a significant evolution in its technical capabilities by using Microsoft Teams infrastructure for covert command-and-control (C2) communications. In a recent incident targeting a U.S. services firm, the group deployed a custom Go-based backdoor known as Backdoor.Turn. This malware cleverly abuses the Traversal Using Relays around NAT (TURN) protocol and legitimate Microsoft relay servers to establish a C2 channel. By wrapping its traffic to look like standard Teams activity, the threat actor was able to persist on the network for one to two months before detection. This technique represents a sophisticated method of defense evasion that challenges conventional network security monitoring and requires advanced behavioral analysis to uncover.

Threat Overview

DragonForce, a threat actor active since at least June 2023, has escalated its operations from a standard ransomware-as-a-service (RaaS) model to a more organized and technically proficient group. The attack began with an initial intrusion into a U.S. services firm in December 2025, likely through an unpatched SQL server. After gaining a foothold, the attackers used a multi-stage process involving DLL sideloading and exploitation of a Huawei driver vulnerability to escalate privileges.

The most notable aspect of the attack is the deployment of Backdoor.Turn. This malware is specifically designed to abuse Microsoft Teams' TURN relay servers. The malware first obtains an anonymous visitor token from Microsoft's Skype services, then uses a legitimate TURN server to broker a connection. This initial communication appears as normal Teams traffic. Once the connection is relayed, the backdoor establishes a direct, encrypted QUIC session with the true C2 server, effectively bypassing perimeter security controls that might otherwise block connections to suspicious IPs.

Technical Analysis

The attack chain demonstrates a high level of operational security and technical skill:

1. Initial Access: Believed to be via an unknown vulnerability in an SQL or MSSQL server. The possibility of access being purchased from an initial access broker has not been ruled out.
2. Defense Evasion & Privilege Escalation: The attackers used T1574.002 - DLL Side-Loading, loading their malicious code using a legitimate executable (DbgView64.exe). They then exploited a then-undocumented vulnerability in a Huawei driver to escalate privileges to SYSTEM.
3. Command and Control: This is the most innovative part of the attack, leveraging T1071.001 - Web Protocols and T1090.002 - External Proxy.
   • Backdoor.Turn authenticates to Microsoft's identity services to get a temporary token.
   • It uses this token to connect to a legitimate Microsoft Teams TURN server.
   • The TURN server relays the connection setup to the attacker's C2 server.
   • A direct peer-to-peer QUIC session is then established between the implant and the C2 server, with the TURN server dropping out of the communication path. From a firewall or proxy perspective, the initial connection is to a trusted Microsoft IP, making it difficult to block.
4. Actions on Objectives: The Backdoor.Turn malware provides standard RAT capabilities, including remote command execution (T1059.003 - Windows Command Shell), network scanning (T1046 - Network Service Discovery), and credential theft (T1003 - OS Credential Dumping).

Impact Assessment

The primary impact of this technique is prolonged and stealthy network persistence. By masquerading C2 traffic as legitimate Microsoft Teams activity, DragonForce can evade detection for extended periods, allowing them ample time to conduct reconnaissance, move laterally, and exfiltrate large volumes of data before deploying ransomware. This significantly increases the dwell time and the potential damage from an intrusion. For the victimized U.S. services firm, this meant the attackers were active on their network for up to two months, likely resulting in a comprehensive compromise of their environment before the final ransomware payload was executed.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to detect this type of activity:

Detection & Response

Detecting this attack requires moving beyond simple IP/domain blocklists.

1. Network Traffic Analysis: Employ D3FEND's Network Traffic Analysis (NTA). Baseline normal Microsoft Teams traffic patterns within your environment. Look for outliers, such as servers initiating TURN sessions or endpoints with unusual data transfer volumes within QUIC sessions that follow a TURN handshake.
2. TLS/SSL Inspection: Where possible, decrypt and inspect traffic to identify anomalies in protocol usage. While the QUIC session is encrypted, the initial setup might reveal clues.
3. Endpoint Behavioral Analysis: Use an EDR solution to detect the initial stages of the attack. Monitor for legitimate processes like DbgView64.exe loading unusual DLLs or making network connections. Look for processes that exploit driver vulnerabilities for privilege escalation.
4. Log Aggregation: Correlate endpoint process logs with network flow data. An EDR alert for DLL sideloading followed by anomalous TURN/QUIC network activity from the same host is a strong indicator of a Backdoor.Turn compromise.

Mitigation

1. Egress Traffic Filtering: Implement strict egress filtering rules. While blocking all Microsoft IPs is not feasible, restrict outbound TURN (UDP/3478) and QUIC (UDP/443) traffic from servers and systems that have no business need for real-time communication applications like Teams. This is a key D3FEND Outbound Traffic Filtering strategy.
2. Patch Management: Ensure all public-facing applications, especially SQL/MSSQL servers, are fully patched to prevent initial access. This aligns with M1051 - Update Software.
3. Application Control: Use application control solutions to prevent the execution of unauthorized or suspicious tools like DbgView64.exe from non-standard locations. This maps to M1038 - Execution Prevention.
4. Driver Blacklisting: Maintain a blacklist of known vulnerable drivers to prevent their loading, which would block the privilege escalation vector used in this attack.