DragonForce ransomware operators used Microsoft Teams relay infrastructure to conceal command-and-control traffic during an attack on a major services company, marking a sharp escalation in the abuse of trusted collaboration platforms by financially motivated cybercriminals.The intrusion, observed in December 2025, involved a custom Go-based remote access trojan known as Backdoor. Turn. Investigators found that the malware obtained an anonymous Microsoft Teams visitor token and used legitimate Teams relay mechanisms during connection setup, allowing malicious traffic to appear as if it belonged to ordinary enterprise communication. The technique made the activity harder to detect because security teams often treat Microsoft collaboration traffic as trusted and business-critical.
The backdoor abused Traversal Using Relays around NAT, known as TURN, a protocol used by Teams when direct client-to-client connections are not available, such as when users sit behind private networks or restrictive firewalls. By routing part of its communications through familiar infrastructure, the malware blurred the line between normal conferencing traffic and attacker-controlled command channels. The case is being treated as the first known instance of malware using Microsoft Teams TURN relays in the wild for command-and-control activity.
The attack is significant because it shows ransomware affiliates moving beyond common phishing, stolen credentials and remote access tools into techniques that deliberately exploit the trust built around cloud communication platforms. Teams, Zoom, Slack and similar services have become central to corporate operations, and attackers increasingly seek to blend into those flows rather than rely on obviously suspicious infrastructure.
The targeted company has not been publicly named, but the intrusion appears to have begun with exploitation of an unknown weakness in an SQL or MSSQL server. After gaining a foothold, the attackers downloaded a compressed archive containing legitimate executables and a malicious dynamic-link library, using sideloading to run their code under the cover of trusted software. They then strengthened persistence by creating unauthorised users, altering Windows security settings and modifying firewall rules.
The operators also used bring-your-own-vulnerable-driver methods to disable or bypass security tools. This tactic relies on signed but flawed drivers that can be abused to gain kernel-level privileges. In this incident, multiple drivers were used, including Huawei’s HWAuidoOs2Ec. sys, a Topaz AntiFraud driver tracked as CVE-2023-52271, Tower of Fantasy’s GameDriverx64. sys tracked as CVE-2025-61155 and K7 Security’s K7RKScan. sys tracked as CVE-2025-1055. A custom malicious driver named ABYSSWORKER was also deployed while masquerading as a legitimate Palo Alto component.
Backdoor. Turn was injected into DbgView64. exe after ransomware deployment, suggesting that the operators wanted either continuing access or a fallback channel after encryption. Its functions included command execution, process creation, network scanning, TLS certificate capture, LDAP and Active Directory queries, website title collection and browser credential theft. These capabilities gave the attackers tools for reconnaissance, lateral movement and credential harvesting before the final ransomware stage.
After reconnaissance and defence evasion, data was exfiltrated and DragonForce ransomware was deployed to encrypt systems. The sequence follows the double-extortion model now common among ransomware groups, where victims face both operational disruption and the threat of stolen data being released if payment is refused.
DragonForce has grown quickly since it appeared in 2023, shifting from a lesser-known ransomware operation into a ransomware-as-a-service platform with affiliate-driven activity. Its operators have promoted cartel-style branding, allowing other criminal groups to use its infrastructure and tools. The model gives affiliates flexibility while allowing the core group to expand reach without directly conducting every intrusion.
The group gained wider attention in 2025 after attacks linked to UK retailers including Marks & Spencer, Co-op and Harrods. Those incidents highlighted the role of social engineering, service-desk manipulation and identity compromise in modern ransomware operations. Co-op later confirmed data theft affecting millions of members, while disruption at Marks & Spencer exposed the operational cost of attacks that begin with impersonation and end with encryption.
The Teams relay abuse adds another layer to that threat picture. It shows that trusted software is no longer merely a delivery channel for phishing messages or malicious links, but can be used as part of the attacker’s covert communications architecture. For defenders, the lesson is that allow-listed traffic still needs behavioural monitoring, particularly where unusual token use, unexpected relay activity, new local users, driver loading and security-tool termination appear in the same chain.
Topics
Technology