DragonForce Ransomware Deploys 'Backdoor.Turn', a Go-Based Backdoor that Hides C&C Traffic Using Microsoft Teams TURN Relay Servers

Executive Summary

The DragonForce ransomware group has developed and deployed a highly sophisticated backdoor, dubbed Backdoor.Turn, that leverages Microsoft Teams infrastructure for command-and-control (C&C) communications. In what appears to be a first-of-its-kind technique, the malware uses Microsoft's legitimate Traversal Using Relays around NAT (TURN) servers—essential for Teams calls—to relay its C&C traffic. This method effectively camouflages the malicious communication as legitimate Teams activity, making it extremely difficult to detect using traditional network monitoring. The discovery, made by researchers from Symantec and Carbon Black, marks a significant evolution in ransomware groups' technical capabilities, moving from off-the-shelf tools to custom-built, highly evasive malware.

Threat Overview

The Backdoor.Turn malware was identified during an investigation into a ransomware attack against a U.S. services firm. The primary function of the backdoor is to provide the attackers with persistent, stealthy access to a compromised network.

The C&C mechanism is its most innovative feature:

1. Token Acquisition: The malware first communicates with Microsoft's Skype-backed identity services to obtain an anonymous visitor token.
2. TURN Relay: It then uses this token to authenticate to a legitimate Microsoft TURN relay server.
3. QUIC Tunnel: Finally, it establishes a QUIC session through the TURN server to the actual attacker-controlled C&C server.

Because the initial connection is to a trusted Microsoft IP address and uses the same protocols as a Teams call, it is likely to bypass firewalls and network security tools. This technique demonstrates a deep understanding of cloud service infrastructure and how to abuse it for malicious purposes.

Technical Analysis

The attack chain observed by researchers was comprehensive, indicating a patient and skilled adversary:

• Initial Access: The attackers likely gained entry in December 2025 by exploiting a vulnerability in an SQL or MSSQL server, or by purchasing access from an initial access broker.
• Persistence and Lateral Movement: The group used various techniques, including DLL sideloading and a bring-your-own-vulnerable-driver (BYOVD) attack to gain kernel-level access. This allowed them to terminate security processes and move freely within the network.
• Payload Deployment: After mapping the network and exfiltrating data, the attackers deployed the DragonForce ransomware to encrypt files.
• Post-Exploitation Persistence: The Backdoor.Turn malware was deployed to maintain long-term access to the victim's environment, even after the initial ransomware event. The backdoor is a fully-featured remote access trojan (RAT), capable of executing commands, scanning the network, mapping Active Directory, and exfiltrating credentials from browsers.

The use of a custom, Go-based backdoor is notable. Go is increasingly popular with malware authors because it is cross-platform and compiles into a single static binary, making it harder to analyze and reverse-engineer.

Impact Assessment

This new technique has several serious implications for defenders:

• Detection Evasion: By masquerading as legitimate Teams traffic, the C&C communication can evade detection by network intrusion detection systems (NIDS) and other tools that rely on IP/domain reputation and traffic analysis.
• Increased Sophistication: It signals that ransomware groups like DragonForce are investing heavily in research and development, creating custom tools that are more effective than generic malware.
• Attribution Difficulty: Abusing legitimate services (a technique known as "living off the land") makes it harder to attribute attacks and identify attacker infrastructure, as the initial traffic points to Microsoft servers.

IOCs — Directly from Articles

No specific IP addresses, domains, or file hashes for Backdoor.Turn were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to detect this activity:

Detection & Response

• Egress Traffic Analysis: While the traffic is directed at Microsoft, it may still be anomalous. Analyze the source of TURN/QUIC traffic within your network. A server in a data center should not be initiating Teams calls. This requires deep packet inspection or an EDR with network visibility.
• Process Anomaly Detection: Deploy EDR solutions to detect the execution of unknown or unsigned Go binaries, especially on servers. Correlate process execution with network activity to identify suspicious connections.
• Behavioral Rules: Create detection rules for the techniques used alongside the backdoor, such as the abuse of vulnerable drivers or the commands used for disabling security tools.

Mitigation

• Egress Filtering: While blocking Microsoft IPs is not feasible, organizations can apply stricter egress filtering policies for servers. If a server has no business reason to connect to the internet, block all outbound traffic by default.
• Application Control: Use application control solutions to prevent the execution of unauthorized binaries, including custom Go malware like Backdoor.Turn.
• Kernel Protection: Implement security features like Hypervisor-Protected Code Integrity (HVCI) and driver blocklists to prevent BYOVD attacks.
• Vulnerability Management (M1051): The initial access vector was likely an unpatched server. A robust vulnerability management program is essential to prevent these types of intrusions.