Crop unrecognizable computer geek typing on netbook with codes on screen while hacking system in darkness
News

DragonForce Ransomware Hid Inside Microsoft Teams for Two Months: How Backdoor.Turn Tunnelled C2 Through TURN Relays

DragonForce deployed Backdoor.Turn, a Go RAT that tunnels C2 traffic through Microsoft Teams TURN relays via QUIC, hiding from defenders for two months.
Sami Malik
Copywriter

For between one and two months, a DragonForce ransomware affiliate lived inside the network of a major U.S. services company, and the security tools watching the network saw nothing they could act on. The only external connections leaving the compromised environment were to legitimate Microsoft Teams servers. Researchers at Broadcom's Symantec and Carbon Black published their findings on 16 June 2026, describing a custom Go-based remote access trojan called Backdoor.Turn that tunnels its command-and-control traffic through Microsoft's own TURN relay infrastructure, then pivots to a QUIC session pointed at the attacker's real server. By the time the attacker was finished, they had exfiltrated data and deployed the DragonForce ransomware payload. The communication technique at the heart of this attack is, according to Symantec, the first documented case of TURN relay infrastructure being abused in the wild for malicious C2 communication.

What DragonForce is and why it matters

DragonForce emerged publicly in 2023 and has operated under a ransomware-as-a-service model, providing its encryption payload and leak site infrastructure to affiliates who carry out the intrusions. The group attracted significant attention in 2025 following claimed attacks on high-profile UK retail targets including the Co-op and Marks and Spencer. Co-op confirmed data theft after DragonForce claimed responsibility for an attack that disrupted operations across hundreds of stores. The group's willingness to target consumer-facing organisations and its operational breadth make it one of the more active ransomware operations currently tracked by defenders.

What distinguishes the June 2026 incident from typical DragonForce activity is the technical sophistication of the Backdoor.Turn RAT. Most ransomware affiliates use off-the-shelf remote access tools, commodity malware, or lightly modified versions of known frameworks. Backdoor.Turn was purpose-built in Go and implements a C2 evasion technique that, until this publication, had not been observed in the wild in the hands of a criminal actor. The technique had been theorised and documented in security research, but its appearance in an active ransomware attack marks a step-change in the operational capability of the affiliates carrying out DragonForce intrusions.

How Backdoor.Turn works: TURN relays and the QUIC pivot

To understand why Backdoor.Turn is difficult to detect, it helps to understand what a TURN relay actually is. TURN stands for Traversal Using Relays around NAT, and it is a protocol designed to solve a routine networking problem: two parties behind different network address translation systems who cannot reach each other directly. Microsoft Teams uses TURN extensively to set up audio and video calls. When a user on a corporate network initiates a Teams call, the Teams client contacts Microsoft's TURN relay servers to help establish a media path. This is ordinary, expected behaviour, and outbound connections to Microsoft TURN servers are present in virtually every corporate environment that runs Teams.

Backdoor.Turn exploits this infrastructure. The RAT first obtains an anonymous visitor authentication token from Microsoft's Skype-backed identity services, the same system that allows someone to join a Teams meeting as a guest without a full account. It uses that token to contact a legitimate Microsoft TURN relay and set up a relay-assisted connection. To any network monitoring tool inspecting outbound traffic, this looks like normal Teams activity: a connection to a known Microsoft IP address using a protocol Microsoft uses for Teams.

The deception goes one layer deeper. BleepingComputer's reporting on the Symantec findings explains that after the TURN relay assisted in setting up the connection, Backdoor.Turn establishes a direct QUIC session to the attacker's actual C2 server. QUIC is a transport protocol that runs over UDP, encrypts its payload, and is increasingly common in legitimate internet traffic. The outer layer of the connection, the part that initiates via the Microsoft TURN relay, gives the traffic legitimacy. The inner QUIC session carries the actual malicious payload but by that point the traffic appears to come from a Microsoft relay, not from the attacker's infrastructure.

The Ghost Calls technique: from research to criminal tooling

The underlying mechanism Backdoor.Turn implements was first documented by the security firm Praetorian in August 2024 under the name "Ghost Calls." Praetorian's research demonstrated that the Microsoft Teams TURN infrastructure could theoretically be used to relay arbitrary traffic, not just Teams media, if an attacker obtained the right authentication tokens. At the time, the research was a theoretical exercise demonstrating a gap between how TURN relays are designed and how defenders monitor for their abuse.

The appearance of Ghost Calls in Backdoor.Turn closes that gap between theoretical attack surface and criminal exploitation. This is a familiar pattern in offensive security: a technique is identified in academic or commercial security research, documented publicly, and then adopted by criminal actors within twelve to eighteen months. The time from Praetorian's August 2024 publication to the confirmed criminal deployment in the DragonForce intrusion is approximately ten months. Defenders who read and acted on the Praetorian research had a window to adjust their monitoring for TURN relay abuse; those who did not are now dealing with a technique that is in active criminal use.

The attack timeline: from December 2025 to ransomware deployment

Symantec and Carbon Black's analysis of the intrusion reveals a methodical, unhurried attack. The initial access occurred in December 2025, giving the attackers roughly two months of presence before the ransomware payload was deployed. During that dwell time, the attackers carried out a textbook post-compromise playbook: establish persistence, conduct internal reconnaissance, escalate privileges, and prepare the environment for data exfiltration and encryption.

Initial code execution was achieved through DLL sideloading, a technique in which a malicious DLL is placed in a location where a legitimate application will load it preferentially over the genuine library. The sideloaded DLL then fetched additional malware from remote servers, giving the attackers a staging mechanism that uses a signed, trusted process to load unsigned malicious code. This is another well-documented technique that is nonetheless difficult to detect automatically because the parent process is legitimate.

Privilege escalation used a bring-your-own-vulnerable-driver (BYOVD) strategy. The attackers loaded a signed but vulnerable driver onto the compromised system and exploited a known flaw in that driver to gain kernel-level access. With kernel privileges, they could terminate endpoint detection and response processes, disable logging, and operate with minimal risk of automated detection. SecurityWeek's coverage of the incident notes that this combination of BYOVD for privilege escalation and TURN relay abuse for C2 communication represents an unusually sophisticated combination for a ransomware-affiliated actor.

Backdoor.Turn's capabilities beyond C2 communication

Once deployed, Backdoor.Turn is not limited to receiving commands from the C2 server. Its capability set is broad enough to support the full range of post-compromise activities an attacker might need during a prolonged intrusion. The RAT can execute commands and create new processes on the compromised system. It performs network scanning, allowing the attacker to map internal network topology and identify additional targets. It captures TLS certificates, which can be used to understand what encrypted services are running and potentially to set up for man-in-the-middle attacks on internal TLS-protected communications.

LDAP and Active Directory searching capabilities allow the RAT to enumerate users, groups, computers, and organisational units within the compromised organisation's Active Directory environment, giving the attacker a comprehensive map of the internal identity structure. Browser credential theft extends the attacker's access to the saved credentials stored in browser profiles on compromised machines, which often include credentials for cloud services, SaaS applications, and external websites that the compromised user accesses from their workstation. Finally, the RAT collects website titles from browser sessions, giving the attacker information about what web services the user is accessing, which can inform further targeting.

Notably, Backdoor.Turn was injected into the legitimate DbgView64.exe process, a Microsoft debugging tool, after the ransomware was deployed. This sequencing suggests that Backdoor.Turn may serve a dual purpose: it supports the intrusion during the active phase, and it is intended to maintain access to the compromised environment even after the ransomware payload has executed, potentially to support follow-on extortion, re-entry if the victim recovers without paying, or intelligence gathering for future attacks.

Why the legitimate cloud service camouflage is so effective

Security teams that rely on network-level detection face a structural problem when attackers use legitimate cloud infrastructure as a communication channel. Blocking Microsoft Teams traffic would break normal business operations in almost every modern corporate environment. Monitoring for anomalous behaviour within Teams traffic requires deep packet inspection of TLS-encrypted connections, and even then the QUIC-based inner session adds another layer of encryption that a standard DPI deployment will not unwrap.

The detection path for Backdoor.Turn is therefore primarily at the endpoint rather than the network perimeter. Behavioural anomalies on the endpoint, specifically, an unusual process loading and communicating via a network library, or the DbgView64.exe process exhibiting network behaviour that the legitimate debugging tool would not normally produce, are the indicators most likely to surface this kind of intrusion before the ransomware stage. Understanding which indicators of compromise are reliable for detecting this class of threat is an important part of tuning detection that can catch what network-layer tools miss.

The broader issue is that DragonForce's use of Backdoor.Turn is unlikely to be unique for long. When a criminal group demonstrates that a specific evasion technique works against real targets, other groups adopt it. The Ghost Calls technique is now validated in a criminal context, and the tooling exists in the form of Backdoor.Turn. Security researchers should expect to see variants of this approach in other malware families over the coming months as other actors incorporate the technique into their own tools.

Defending against TURN relay abuse and similar cloud-channel C2 techniques

Defenders cannot simply block TURN traffic, but they can monitor for the specific behaviours that distinguish Backdoor.Turn from legitimate Teams usage. Anonymous visitor tokens, the kind Backdoor.Turn obtains to authenticate to the TURN relay, are not the same as the authenticated organisational tokens that legitimate Teams users generate. Monitoring for TURN relay connections initiated with anonymous visitor tokens, especially from processes that would not normally initiate Teams connections, is a feasible detection approach even without unwrapping the QUIC inner session.

BYOVD detection is a parallel priority. Known vulnerable drivers that are commonly used in BYOVD attacks are catalogued in several public databases, and EDR products that monitor for the loading of known vulnerable kernel drivers can catch the privilege escalation step before the attacker reaches kernel-level access. Microsoft's vulnerable driver blocklist, when enforced through Windows Defender Application Control, prevents many of the drivers most commonly used in BYOVD attacks from loading. This is a control that is widely available but not universally deployed.

DLL sideloading detection requires a baseline understanding of which DLLs each application in the environment should load and from which paths. Applications loading DLLs from unusual paths, or DLLs with mismatched version information relative to the signed executable that loads them, are indicators worth investigating. The attack surface created by legitimate applications that can be used for DLL sideloading is often underestimated in environments where the focus has been on external-facing controls. Finally, monitoring dark web sources for early indicators that an organisation's credentials or data are being traded is a signal that can surface an intrusion months before the ransomware payload is delivered. The dwell time of one to two months in this case represents a window during which early detection was possible through the right monitoring capabilities.

Frequently asked questions

Does this mean Microsoft Teams itself has a vulnerability?

No. Backdoor.Turn abuses the TURN relay infrastructure that Teams uses for its media connections, but it does not exploit a vulnerability in Teams itself. The anonymous visitor token mechanism that Backdoor.Turn uses to authenticate to the TURN relay is a legitimate feature of the Teams platform intended for guest meeting participants. Microsoft has not issued a security advisory related to this attack because the behaviour exploits the design of TURN relay infrastructure rather than a flaw in its implementation. The appropriate defensive response is endpoint-level detection and network behaviour monitoring, not patching Teams.

What is QUIC and why does it make detection harder?

QUIC is a transport layer protocol developed by Google and standardised by the IETF. It runs over UDP rather than TCP and encrypts all its payload, including headers that TCP would leave unencrypted. It was designed to reduce connection latency and improve performance for web traffic, and it is now used by major web services including Google, Cloudflare, and Microsoft. The encryption and the UDP transport make it difficult for traditional deep packet inspection tools to analyse QUIC traffic content, and blocking QUIC entirely would break many legitimate services. Backdoor.Turn's use of QUIC as the inner session protocol is deliberate: it adds a layer of encryption and protocol obfuscation on top of the already-legitimate-looking TURN relay outer connection.

Were any other companies targeted with Backdoor.Turn beyond the unnamed U.S. services firm?

Symantec and Carbon Black's June 2026 publication identified one confirmed victim, the unnamed major U.S. services firm. The researchers did not indicate whether other victims had been identified. Given that DragonForce operates as a ransomware-as-a-service with multiple affiliates, and that Backdoor.Turn appears to be a tool available within the DragonForce ecosystem rather than the work of a single operator, it is likely that other deployments of Backdoor.Turn exist that have not yet been publicly linked to this technique.

If the victim pays the ransom, will Backdoor.Turn be removed?

The injection of Backdoor.Turn into DbgView64.exe after the ransomware deployment suggests it may be intended to maintain persistence independently of the ransomware negotiation. Organisations that pay a ransom and receive a decryption key should not assume that their environment is clean: a thorough incident response investigation is required to identify and remove all implants, including any that may be designed to maintain access after the primary ransomware payload has been addressed. Paying ransom removes the encryption problem; it does not necessarily remove all attacker access.

How did the attackers gain initial access in December 2025?

Symantec and Carbon Black's report indicates that DLL sideloading was used in the initial access chain, fetching additional malware from remote servers. The specific vector used to deliver the initial DLL, whether phishing, exploitation of a public-facing vulnerability, or another method, was not detailed in the public reporting. The gap between initial access in December 2025 and the June 2026 reporting means that the full initial access chain may only become clear as the forensic investigation of the victim organisation concludes.

What should I look for in my own environment to detect a similar intrusion?

The key detection opportunities for Backdoor.Turn-style attacks are: processes initiating TURN relay connections that are not the Teams client or a legitimately Teams-integrated application; DLL loads by signed processes from unusual paths or with mismatched DLL metadata; loading of known vulnerable drivers that are used in BYOVD attacks; and DbgView64.exe exhibiting network activity. More broadly, any process injecting into other processes or exhibiting capabilities beyond its expected function is worth investigating. At the threat intelligence level, monitoring for evidence that your organisation's credentials or internal data are being discussed or sold on underground markets is an early warning that an intrusion may be underway well before the ransomware stage.

What the DragonForce-Teams incident means for defenders in 2026

The Backdoor.Turn case arrives at a moment when legitimate cloud services are becoming the preferred communications channel for sophisticated attackers. The same infrastructure organisations depend on for collaboration and productivity, Microsoft Teams, Google Workspace, Slack, and others, is increasingly the medium through which attackers conduct their post-compromise operations. This is not an accident: attackers understand that blocking or alerting on traffic to these platforms would cause significant operational disruption for the organisations they target, and so they exploit the implicit trust that network controls place in traffic destined for known cloud infrastructure.

The defensive implication is a shift in where detection investment needs to go. Network-layer controls that distinguish good from bad traffic based on destination IP or domain are becoming less reliable as attackers route their communications through legitimate cloud infrastructure. Endpoint detection, behavioural analytics at the process and memory level, and the monitoring of anomalous activity patterns in specific processes and network connections are where detection capability needs to grow. A process that should not be initiating network connections to Teams relay infrastructure, but is, is a finding worth investigating regardless of whether Teams traffic is ordinarily trusted. Combining this endpoint-level behavioural visibility with threat intelligence on ransomware groups and their tooling is how teams can stay ahead of the curve when techniques like Ghost Calls move from research papers into active criminal operations.

How Defendis Can Help

Incidents like these share a common thread: the attacker is already inside by the time the organisation realises something is wrong. Backdoor.Turn hid in Teams traffic for two months. The Icarus group held Klue's customer data for weeks before the full victim list became clear. In both cases, the early signal existed, credentials circulating on underground markets, infrastructure behaving abnormally, data appearing in places it should not be. Those signals reached the organisations through the news, not through their own monitoring.

Defendis monitors underground markets, leak forums, and dark web infrastructure continuously. When your credentials or data appear where they should not, your team receives an alert with the context needed to act, before the story makes the front page of BleepingComputer.

Book a demo

About the author
Sami Malik is a copywriter passionate about crafting clear, engaging, and impactful content that helps brands connect with their audience through storytelling and strategy.

Related Articles

Discover simplified
Cyber Risk Management
Request access and learn how we can help you prevent cyberattacks proactively.