The DragonForce ransomware gang has been spotted using a custom Go-based remote access trojan called Backdoor.Turn to hide command-and-control traffic inside Microsoft Teams relay infrastructure — making it nearly invisible to network defenders.
According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm whose name hasn’t been disclosed. The attackers were on the victim network for between one and two months.
Here’s how it works: Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to establish the connection, and then runs a QUIC session to the real C2 server. To network defenders, all they see are outbound connections to normal Microsoft Teams servers.
This is the first publicly documented case of threat actors abusing Microsoft’s TURN relay infrastructure for C2 communication.
The initial access vector isn’t fully confirmed, but researchers suspect it involved exploiting a vulnerability in an SQL or MS-SQL server — or possibly access purchased from an initial access broker. The first malicious activity started in December 2025 with a PowerShell command that dropped a ZIP archive disguised as a tech support hotfix.
That ZIP launched a DLL sideloading attack using a rogue driver named HWAuidoOs2Ec.sys (a Huawei driver) to conduct reconnaissance, set up persistence, and disable security software — a bring your own vulnerable driver (BYOVD) technique. The group has also used other vulnerable drivers including wsftprm.sys (CVE-2023-52271), GameDriverX64.sys (CVE-2025-61155), and K7RKScan.sys (CVE-2025-1055).
What makes this especially concerning is that Backdoor.Turn gets injected into the legitimate DbgView64.exe process after DragonForce ransomware deployment, suggesting the gang wants to maintain backdoor access even after the ransomware phase. The backdoor supports command execution, process creation, network scanning, LDAP and Active Directory searches, credential-based lateral movement, and browser credential theft.
Its TURN-based mechanism uses a technique called Ghost Calls that was first documented by Praetorian in August 2024.
