Home/ Blog/ Security news/ Article
Blog · Security news

DragonForce hides its C2 inside Microsoft Teams relays. Your network sensors see a clean call.

DragonForce's Backdoor.Turn routes C2 through Microsoft Teams TURN relays, so network sensors see only Microsoft. Here is where the detectable seam actually

Data stream routing through relay nodes with one strand branching to a hidden server
By Suriq's Jack · ·Security news · 5 min read

For one to two months, a ransomware crew operated inside a major US services firm and its command traffic looked like an ordinary Microsoft Teams call. That is the whole problem. The DragonForce operators behind a new Go-based backdoor, tracked by Broadcom-owned Symantec as Backdoor.Turn, do not send their command-and-control traffic to a server you can block. They send it to Microsoft, and Microsoft forwards it for them.

Symantec's Carbon Black team describes this as the first time TURN relay infrastructure has been abused this way in a live intrusion. The technique itself is borrowed from public research called Ghost Calls, first detailed by Praetorian (reporting differs on whether that was in 2024 or at Black Hat 2025; the underlying method is the same). What changed in June 2026 is that a financially motivated ransomware group put it into production against a real target.

How the backdoor turns Teams into a tunnel

The mechanics are simpler than they sound. The malware first asks Microsoft's Skype-based identity layer for a guest credential, the kind of pass that normally lets someone drop into a meeting without an account. Armed with that, it opens a channel through one of Microsoft's own media relays and tunnels an encrypted QUIC session over it, out to the operator's true C2 box.

TURN, short for Traversal Using Relays around NAT, exists to forward media between two endpoints that cannot reach each other directly, which is most video calls behind home and office routers. Relaying arbitrary traffic is what it is built to do. So from the network's point of view, the infected host opens a normal-looking encrypted session to a Microsoft relay, exactly like any Teams call. Symantec's own summary is blunt: defenders watch the session head to legitimate Teams servers and never realize data is leaving by another door.

Why your network detection is structurally blind here

This is the part worth sitting with. Most C2 detection assumes there is a bad destination to find: a domain to put on a blocklist, an IP in a threat feed, a fingerprint that does not match known-good software. None of that applies. Every hop your sensor can see terminates at Microsoft. The malicious endpoint sits one relay-hop beyond your horizon, and the relay will not tell you it is there.

We have written before about attackers moving onto shared, trusted delivery infrastructure and about a trusted SaaS connection being the breach path rather than the perimeter. This is the same move applied to the command channel itself. The lesson repeats: when the destination is trustworthy, the destination stops being a useful detection signal. You have to detect the behavior, not the address.

The detectable seam moved to the host

The good news is that the cleverness only hides the network leg. On the endpoint, the intrusion leaves several tells that have nothing to do with where the traffic goes:

  • A process other than the Teams client asking for a guest meeting pass. Those requests should come from Teams itself, never from a stray binary.
  • An outbound QUIC session from DbgView64.exe. Symantec found Backdoor.Turn injected into that Sysinternals debug viewer, a tool that has no reason to open network connections, let alone QUIC ones.
  • A vulnerable kernel driver loading. Before any of the Teams trickery, the attackers silenced security software using a vulnerable Huawei driver and a custom malicious driver dressed up as a security vendor's software.

Those events are visible to endpoint telemetry whether or not the network looks clean. A hunt for QUIC connections originating from processes that are not browsers or Teams, correlated with recent driver-load events, would have surfaced this long before two months passed.

Bring your own vulnerable driver (BYOVD) is the prerequisite, not the footnote

It is tempting to make the Teams relay the headline and move on. The relay is the memorable part, but it is not what bought the dwell time. The attackers got their long runway by blinding the host's defenses first, using bring-your-own-vulnerable-driver to load a signed-but-flawed driver and disable endpoint protection from the kernel. Huntress had documented the Huawei driver's vulnerable status back in March 2026; this intrusion weaponized it. With the sensor deaf, the network trick only had to defeat tooling that was already half disabled.

That ordering matters for defense. Close the driver gap and the clever C2 has far less to hide behind. Microsoft's vulnerable-driver blocklist and Windows Defender Application Control let you deny known-bad drivers outright; keeping both current is the single most effective control against this pattern, and it is free.

What there is to do

There is no patch coming for the relay abuse, because nothing is broken. TURN forwarding arbitrary traffic is the protocol working as designed, and Microsoft cannot close it without breaking guest access to Teams. So the response is detection and hardening, not a Tuesday update:

  • Hunt for outbound QUIC from processes that should never speak it, and for guest-token requests that come from anything other than the Teams client.
  • Enforce the Microsoft vulnerable-driver blocklist and Windows Defender Application Control so a known-bad driver cannot load in the first place.
  • Alert when ordinary utilities such as the Sysinternals debug viewer make network connections; treat injection into living-off-the-land binaries as a high-signal event.
  • Note the entry pattern. The foothold around December 2025 came through a ZIP carrying a legitimate signed executable and a malicious sideloaded DLL. Symantec is not certain of the first access vector, citing a possible database server exploit or access bought from a broker, so treat both as live hypotheses.

The uncomfortable takeaway is that "block the bad server" is aging out as a primary control. When attackers route command traffic through the same infrastructure your business runs on, the question stops being where the traffic is going and becomes which process is sending it and whether it should be. That shift, from destination to behavior, is the real story under the Teams headline.

Topics
RansomwareDetection & threat huntingVulnerable drivers (BYOVD)

Frequently asked questions

What is Backdoor.Turn?

Backdoor.Turn is a Go-based remote access trojan used by DragonForce ransomware operators.

Symantec found it inside a US services firm, where it hid command-and-control traffic by relaying it through Microsoft Teams infrastructure and ran capabilities for command execution, network scanning, Active Directory mapping, and credential theft.

How does DragonForce hide C2 traffic in Microsoft Teams?

The malware grabs a guest meeting credential from Microsoft, then opens an encrypted QUIC tunnel out through one of Microsoft's media relays to the attacker's own server.

Network monitoring only sees a connection to Microsoft, identical to a normal Teams call, so the true destination stays hidden.

Can network monitoring detect Backdoor.Turn's command channel?

Not reliably, because every connection the sensor sees terminates at legitimate Microsoft relays.

There is no malicious domain or IP to block, so detection has to move to the host: anomalous Teams token requests, outbound QUIC from unexpected processes, and vulnerable driver loads.

Is there a patch for the Teams relay abuse?

No. TURN relays are designed to forward arbitrary traffic for video calls, so this is the protocol working as intended, not a bug.

Microsoft cannot close it without breaking Teams guest access, so the response is host-side detection and revoking vulnerable drivers.

What role did vulnerable drivers play in the DragonForce attack?

They came first and bought the dwell time. The attackers used bring-your-own-vulnerable-driver, loading a flawed Huawei driver plus a custom one, to disable endpoint security from the kernel.

Enforcing Microsoft's vulnerable-driver blocklist blocks this step before the clever C2 ever matters.

Keep reading
Security news

Prinz Eugen ransomware hits your newest files first and never leaves a note

Prinz Eugen ransomware encrypts your most recently changed files first and drops no ransom note, defeating canary traps and note-based SOC alerts. What to do.

Noam Alum · Jun 21, 2026
Security news

Your Fortinet password reset won't lock the FortiBleed attacker out

CISA declared FortiBleed an emergency on June 18 after 86,644 Fortinet devices were hit. Resetting passwords is not enough: kill live sessions and fix the

Noam Alum · Jun 21, 2026
Security news

A USB worm swaps your crypto address mid-paste, and no breach alarm ever fires

Microsoft found a USB worm that hijacks the clipboard to swap crypto wallet addresses and hides its command channel in Tor. Here is why it beats your controls.

Suriq's Jack · Jun 20, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Request access Meet the clan