Cybersecurity researchers at **Symantec** have uncovered a sophisticated attack by the **DragonForce** ransomware operation, known for its cartel-style structure and links to the **Scattered Spider** threat group. The attackers utilized a custom Go-based malware, dubbed **Backdoor.Turn**, to effectively hide malicious communications within trusted **Microsoft Teams** network traffic. ### Abusing Microsoft Teams' TURN Protocol The core of the evasion technique lies in **Backdoor.Turn**'s abuse of the **TURN** protocol, a standard used by **Microsoft Teams** to facilitate message distribution when direct client connections are unavailable (e.g., clients behind a private network). The malware achieves this by obtaining an anonymous **Teams** visitor token, leveraging a legitimate **Microsoft TURN** relay during connection setup, and subsequently connecting to the attacker's C2 server. This tactic makes the C2 traffic appear as legitimate **Microsoft Teams** communications, allowing it to bypass many traditional security controls. While the concept of abusing **Teams** and **Zoom** for C2 operations was demonstrated in 2025 by **Praetorian**'s 'Ghost Calls' technique, **Backdoor.Turn** is the first recorded instance of such a method being used in active attacks. **Symantec** emphasizes, “**Backdoor.Turn**, a Go-based RAT, is the first known malware to abuse **Microsoft Teams**' **TURN** relay servers to mask command-and-control traffic.” ### Sophisticated Attack Chain The attack, observed in December 2025 against a major U.S. services company, likely began with the exploitation of an unknown vulnerability in an SQL or MSSQL server. Following initial access, the attackers established persistence by creating rogue users, abusing the `LimitBlankPassword` security policy, and modifying firewall rules. A key aspect of their evasion strategy involved **Bring Your Own Vulnerable Driver (BYOVD)** tactics. The attackers leveraged multiple known vulnerable drivers, including **Huawei**'s **HWAuidoOs2Ec.sys** ("Havoc Process Terminator"), **Topaz Antifraud wsftprm.sys** (**CVE-2023-52271**), **Tower of Fantasy GameDriverx64.sys** (**CVE-2025-61155**), and **K7 Security K7RKScan.sys** (**CVE-2025-1055**). These drivers were used to gain kernel-level privileges and terminate security tools on the compromised host. Additionally, a custom malicious driver named **ABYSSWORKER**, disguised as a legitimate **Palo Alto** driver, was employed. ### Backdoor.Turn Capabilities and Ransomware Deployment The **Backdoor.Turn** remote access trojan (**RAT**) was injected into `DbgView64.exe` after the ransomware deployment, suggesting its potential use for persistent access or future operations. Its capabilities are extensive, including command execution, process creation, network scanning, TLS certificate capturing, LDAP/Active Directory searching, website title collection, and browser credential theft. After successfully completing reconnaissance and neutralizing security defenses, the attackers exfiltrated sensitive data before deploying the **DragonForce** ransomware and encrypting the victim's systems. **Symantec** highlights the exceptionally sophisticated cyber tradecraft employed in this campaign. **Symantec** has provided a comprehensive list of Indicators of Compromise (**IoCs**) to assist organizations in detecting and blocking these advanced attacks.