Security researchers at Symantec’s Threat Hunter Team have uncovered a sophisticated ransomware campaign in which attackers leveraged Microsoft’s own cloud infrastructure to disguise malicious command-and-control (C2) communications. The technique, linked to a DragonForce ransomware attack against a major U.S. services firm, involves a novel Go-based backdoor called Backdoor.TURN that routes C2 traffic through Microsoft Teams TURN relay servers — making malicious activity appear as normal enterprise communications.
The Novel Technique: Teams TURN Relay Abuse
Instead of directly communicating with attacker-controlled infrastructure — which would trigger network security alerts — Backdoor.TURN routes traffic through Microsoft’s own servers. The malware requests an anonymous visitor token from Microsoft’s Skype-backed identity services, uses this token to authenticate with Teams infrastructure, and establishes a relay session via TURN (Traversal Using Relays around NAT) servers. Once the TURN relay connection is established, it initiates a QUIC session with the real C2 server behind the relay.
The result: network defenders only observe outbound traffic to legitimate Microsoft domains such as teams.microsoft.com and related infrastructure. The malicious C2 channel is completely hidden within traffic that organizations routinely trust and often exclude from deep packet inspection.
Symantec notes this is the first known real-world case of Microsoft Teams TURN relay infrastructure being weaponized in this manner. The technique is inspired by “Ghost Calls” research presented at Black Hat 2025, which demonstrated theoretically how web conferencing platforms could be abused for covert communication — but Backdoor.TURN represents the real-world operationalization of that concept.
Attack Chain: How the Intrusion Unfolded
The intrusion began in December 2025. The initial access vector remains unclear, but Symantec analysis suggests the attackers likely exploited an unknown SQL or MSSQL server vulnerability, or obtained initial access through an initial access broker (IAB). After gaining entry, the attackers deployed a malicious ZIP archive containing a legitimate VirtualBox executable and a weaponized DLL. Through DLL sideloading, malicious code was executed under a trusted process, enabling stealthy persistence from the outset.
Following initial execution, the attackers carried out extensive reconnaissance, credential harvesting, and lateral movement across the network. They also modified firewall rules, created additional user accounts, and adjusted system settings to maintain long-term access and ensure uninterrupted C2 communications even if individual persistence mechanisms were discovered.
Advanced Defense Evasion: BYOVD and Kernel-Level Attack
A key highlight of the campaign is its advanced defense evasion strategy. The attackers used a Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools at the kernel level — one of the most powerful evasion techniques available to modern threat actors.
Symantec researchers observed a novel exploitation of the Huawei driver HWAuidoOs2Ec.sys, described as a “Havoc Process Terminator.” Additional drivers linked to CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055 were also abused. The attackers further deployed a custom malicious driver, dubbed “Abyss Worker,” disguised as a legitimate Palo Alto driver, to terminate endpoint security processes.
This combination of legitimate-driver abuse and a custom malicious driver represents a sophisticated multi-layered approach to defeating endpoint detection and response (EDR) solutions at the kernel level.
Backdoor.TURN Capabilities
The Backdoor.TURN payload was injected into the legitimate DbgView64.exe process. Its capabilities include:
- Remote command execution
- Active Directory enumeration
- Network scanning
- Credential theft
- Lateral movement
Notably, the backdoor was deployed after ransomware execution rather than before it, suggesting it may be used for persistence, ongoing access, or potentially for resale to other threat actors seeking continued access to the compromised environment after the ransomware payoff.
About DragonForce
DragonForce, active since 2023 and tracked by Symantec as “Hackledorb,” has evolved into a highly structured and sophisticated threat group. The group’s use of trusted cloud infrastructure combined with novel exploitation techniques highlights a growing trend in modern ransomware operations: blending malicious traffic with legitimate enterprise services to reduce defenders’ visibility and complicate incident response.
Defensive Recommendations
Organizations should implement behavioral detection capabilities that can identify anomalous processes making outbound TURN relay connections — standard signature-based detection will not catch this technique. Security teams should also audit QUIC traffic within their environments, as this protocol is increasingly being abused to bypass traditional firewall inspection.
Strict controls on which applications can load kernel drivers, along with a curated allowlist of permitted drivers, are critical defenses against BYOVD attacks. Microsoft has published guidance on Windows Defender Application Control (WDAC) policies that can help organizations prevent unauthorized driver loading. Finally, monitoring for unexpected DLL sideloading patterns and the creation of new administrator accounts during off-hours should be standard practice for threat hunting teams.