DragonForce Hides C2 Inside Microsoft Teams TURN Relays

A ransomware affiliate routing its malware's command-and-control traffic through Microsoft Teams relay servers is not disguising malicious traffic as Microsoft traffic — it is sending traffic that genuinely belongs to Microsoft infrastructure. According to The Hacker News, researchers at Broadcom-owned Symantec and Carbon Black published findings on DragonForce affiliates deploying a custom Go-based remote access trojan called Backdoor.Turn against a major U.S. services firm, with attackers on the network for between one and two months before ransomware was deployed.

The mechanism is precise. Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft's Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker's real C2 server. From a defender's vantage point, the only visible outbound connections went to legitimate Microsoft Teams servers. There is no rogue IP to flag or unfamiliar hostname to block, because the traffic path genuinely runs through Microsoft.

The attack chain against the U.S. firm reportedly began in December 2025, with initial compromise suspected via an SQL/MS-SQL vulnerability or initial access broker. Attackers deployed a PowerShell command dropping a ZIP archive disguised as a tech support hotfix, then used DLL side-loading to establish persistence. A Huawei driver (HWAuidoOs2Ec.sys) was deployed via the bring-your-own-vulnerable-driver technique to silence endpoint security. After ransomware deployment, Backdoor.Turn was injected into the legitimate DbgView64.exe process, reportedly to retain access for resale or future operations even after the primary campaign concluded.

The honest caveat is that initial access remains 'suspected' rather than confirmed, so defenders should treat the specific entry vector as tentative rather than settled. What the reporting does not address is whether Microsoft has restricted the anonymous visitor token mechanism that makes the relay abuse possible, leaving it unclear whether the technique is still live.

Symantec and Carbon Black describe this as the first publicly documented abuse of Microsoft's TURN relay infrastructure for malicious C2. The direction matters more than this single case: IP allowlists for trusted cloud providers will not catch traffic that belongs to those providers by design. Security teams positioned to detect this are those with QUIC traffic inspection and behavioral anomaly detection on how endpoints use Teams, not those relying on destination reputation alone.