Cybersecurity researchers at **Broadcom**-owned **Symantec** and **Carbon Black** have uncovered a novel technique employed by **DragonForce** ransomware affiliates. The group is utilizing a custom Go-based remote access trojan (RAT) dubbed **Backdoor.Turn** to obfuscate its C2 communications by routing them through **Microsoft Teams**' relay infrastructure. This marks the first publicly documented instance of threat actors abusing **Microsoft**'s Traversal Using Relays around NAT (**TURN**) relay infrastructure in such a manner. The attack was successfully deployed against a major U.S. services firm, though the specific entity remains undisclosed.  ### How Backdoor.Turn Achieves Stealth According to the **Threat Hunter Team**'s report, **Backdoor.Turn** operates by obtaining an anonymous **Teams** visitor token from **Microsoft**'s **Skype**-backed identity services. It then leverages a legitimate **Microsoft TURN** relay to establish a connection, subsequently running a **QUIC** session to the attacker's actual C2 server. This method effectively camouflages malicious traffic. From a network defender's perspective, the only visible outbound connections are to legitimate **Microsoft Teams** servers, allowing attackers to maintain a presence on the victim network for an extended period, in some cases, up to two months. ### Initial Access and Evasion Techniques Initial access for the observed incident is suspected to have been gained through an exploit in either an **SQL** or **MS-SQL** server vulnerability, although the precise flaw is currently unknown. The possibility of acquiring access from an initial access broker (IAB) is also being considered. The malicious activity began with the execution of a PowerShell command in December 2025, deploying a ZIP archive disguised as a tech support hotfix. This archive initiated a DLL side-loading attack, launching a rogue DLL designed for reconnaissance, establishing persistence, and disabling security software using a **Huawei** driver (**HWAuidoOs2Ec.sys**). This technique, known as **Bring Your Own Vulnerable Driver (BYOVD)**, exploits legitimate but vulnerable drivers to bypass security controls. Other drivers previously observed in similar contexts include: * **wsftprm.sys** (**CVE-2023-52271**) * **GameDriverX64.sys** (**CVE-2025-61155**) * **K7RKScan.sys** (**CVE-2025-1055**) * **ABYSSWORKER**, a custom malicious driver linked to **Medusa** ransomware attacks. ### Post-Ransomware Persistence and Capabilities Intriguingly, **Backdoor.Turn** was executed by injecting it into the legitimate **DbgView64.exe** process *after* the **DragonForce** ransomware had already been deployed. This suggests a strategic move to maintain persistent access to the compromised host, potentially for future attacks or for reselling access to other threat groups. The underlying **TURN**-based mechanism of **Backdoor.Turn** draws parallels with **Ghost Calls**, a stealthy C2 communication technique documented by **Praetorian** in August 2024. The backdoor boasts a comprehensive set of capabilities, including: * Command execution * Process creation * Network scanning * **LDAP** and **Active Directory** searches * Credential-based lateral movement * Browser credential theft **Symantec** and **Carbon Black** emphasize that the backdoor's ability to obtain a **Teams** visitor authentication token and then use a legitimate **Microsoft** server as a **TURN** relay before establishing a direct **QUIC** session to a malicious C&C server makes it exceptionally difficult to detect. These findings highlight the evolving sophistication of the **DragonForce** threat actors, also known as **Hackledorb**. Their pivot from a traditional ransomware-as-a-service (RaaS) model to a highly organized, formalized cartel structure, coupled with advanced techniques like multi-vector **BYOVD** evasion and **Backdoor.Turn**, positions them as one of the most capable and persistent ransomware groups currently operating.