DragonForce Hid C2 Traffic in Microsoft Teams for Two Months

DragonForce ransomware operators maintained persistence inside a major U.S. services company for two months by routing command-and-control traffic through Microsoft Teams relay servers. The technique represents the first documented in-the-wild abuse of Teams TURN infrastructure for malware C2.

Symantec and Carbon Black researchers disclosed the attack on June 16, revealing how the group's custom Go-based backdoor exploited legitimate Microsoft infrastructure to evade network monitoring.

How the Attack Worked

The intrusion followed a multi-stage progression:

1. Initial access: Attackers exploited a vulnerability in an SQL/MSSQL server exposed to the internet
2. Persistence: Downloaded legitimate VirtualBox and DbgView executables alongside malicious DLLs for sideloading
3. Privilege escalation: Deployed multiple vulnerable drivers using bring-your-own-vulnerable-driver (BYOVD) techniques
4. Defense evasion: Injected their backdoor into DbgView64.exe

The key innovation came in the C2 channel. The malware, tracked as Backdoor.Turn, obtained an anonymous Teams visitor token from Microsoft's Skype-backed identity services. It then used Microsoft's TURN (Traversal Using Relays around NAT) relay infrastructure to establish connections before running a QUIC session to the attackers' actual C2 server.

To network defenders, the only visible traffic was outbound connections to Microsoft Teams servers. Traffic to Microsoft collaboration services rarely triggers alerts.

Backdoor Capabilities

Backdoor.Turn provides comprehensive remote access:

• Command execution and process creation
• Network reconnaissance scanning
• TLS certificate interception
• LDAP and Active Directory enumeration
• Website title harvesting
• Browser credential theft

The attackers combined this with multiple vulnerable drivers for kernel-level access, including:

• Huawei HWAuidoOs2Ec.sys
• Topaz Antifraud wsftprm.sys (CVE-2023-52271)
• Tower of Fantasy GameDriverx64.sys (CVE-2025-61155)
• K7 Security K7RKScan.sys (CVE-2025-1055)
• ABYSSWORKER (counterfeit Palo Alto driver)

Detection Challenges

The technique exploits a fundamental challenge in enterprise security. Blocking or inspecting Microsoft Teams traffic isn't practical for most organizations. The service is deeply embedded in daily operations.

Traditional network monitoring looks for connections to known malicious infrastructure. When malware communicates exclusively with Microsoft IPs, standard detection fails. Deep packet inspection of QUIC traffic requires significant investment that many organizations haven't made.

Organizations should monitor for anomalous Teams token generation, particularly from non-standard processes. The IOCs published by Symantec should be deployed across security tooling.

DragonForce Background

DragonForce has operated as a ransomware-as-a-service cartel since 2023. The group has demonstrated increasing sophistication, with this attack showing significant resource allocation toward evasion research.

This isn't the first time ransomware groups have abused Microsoft infrastructure. The pattern reflects broader criminal investment in leveraging trusted services for malicious purposes. Defenders should assume that any high-reputation service could be abused for C2.

For organizations running Microsoft 365, auditing Teams-related authentication events and monitoring for unusual TURN relay usage should become standard practice.