Executive Summary
A newly observed campaign orchestrated by the DragonForce threat group demonstrates a significant escalation in adversarial tradecraft by abusing Microsoft Teams TURN relay infrastructure to covertly route command-and-control (C2) traffic for a custom backdoor, Backdoor.Turn. This campaign is the first documented instance of leveraging Microsoft Teams relay servers for C2 operations in the wild, enabling attackers to blend malicious traffic with legitimate enterprise collaboration flows and evade traditional network detection. The operation, tracked by multiple security vendors including Symantec and Broadcom, combines this novel C2 channel with advanced defense evasion techniques such as Bring Your Own Vulnerable Driver (BYOVD) attacks and DLL sideloading. The campaign achieved persistent, undetected access for up to two months within a major U.S. services firm, highlighting the urgent need for enhanced monitoring of collaboration platform traffic and robust endpoint controls.
Threat Actor Profile
DragonForce is a financially motivated threat group with a history of ransomware-as-a-service (RaaS) operations, recently evolving into a cartel-like structure with advanced capabilities. The group, also tracked as “Hackledorb” by Symantec, has demonstrated proficiency in exploiting both public-facing applications and supply chain weaknesses. Since 2023, DragonForce has shifted from opportunistic ransomware deployment to highly targeted, multi-stage intrusions, often leveraging novel TTPs to bypass detection. Their operations are characterized by rapid adoption of zero-day vulnerabilities, custom malware development, and the use of legitimate cloud and collaboration services for stealthy C2. The group’s latest campaign marks a significant innovation in the abuse of enterprise SaaS infrastructure, specifically Microsoft Teams, to obfuscate malicious activity.
Technical Analysis of Malware/TTPs
The attack chain begins with initial access, likely via exploitation of SQL/MSSQL server vulnerabilities or through credentials purchased from access brokers. The attackers deploy a malicious ZIP archive containing a legitimate VirtualBox or DbgView executable alongside a malicious DLL (vboxrt.dll), exploiting DLL sideloading to execute the next-stage payload. This DLL retrieves additional components from attacker-controlled infrastructure.
Persistence is established through system configuration changes, including modifications to LimitBlankPassword, creation of new user and group accounts, and firewall rule adjustments. Lateral movement is facilitated by credential harvesting and exploitation of Active Directory.
For defense evasion, DragonForce employs BYOVD, deploying vulnerable drivers to gain kernel-level privileges and terminate security processes. Notably, the campaign uses the HWAuidoOs2Ec.sys driver from Huawei (previously unexploited in the wild), as well as drivers associated with Topaz Antifraud (wsftprm.sys, CVE-2023-52271), Tower of Fantasy (Gamedriverx64.sys, CVE-2025-61155), and K7 Security Anti-Malware (K7RKScan.sys, CVE-2025-1055). A custom “Abyss Worker” driver masquerades as a Palo Alto Networks driver to further obfuscate malicious activity.
The core innovation is the use of Microsoft Teams TURN relay servers for C2. The Backdoor.Turn malware obtains an anonymous Teams visitor token via Microsoft’s Skype-backed identity services, then establishes a connection through Teams’ TURN relay infrastructure. This connection is upgraded to a QUIC session, which is then used to tunnel encrypted C2 traffic to the attacker’s backend. As a result, all malicious communications are indistinguishable from legitimate Teams traffic at the network layer, bypassing most perimeter defenses and network monitoring solutions.
Backdoor.Turn provides a full suite of post-exploitation capabilities, including arbitrary command execution, process creation, network scanning (TLS certificate and web page title collection), LDAP/Active Directory reconnaissance, credential-based lateral movement, and browser credential theft. The campaign culminates in the deployment of the DragonForce ransomware payload, which exfiltrates and encrypts sensitive data.
Exploitation in the Wild
The campaign was first detected in December 2025 within a major U.S. services firm, with dwell time extending up to two months before discovery. The attackers maintained persistence and lateral movement while evading detection by blending C2 traffic with legitimate Microsoft Teams activity. The use of multiple BYOVD techniques, custom drivers, and DLL sideloading allowed the attackers to disable endpoint security controls and maintain a low profile. The operation is notable for the first observed abuse of Microsoft Teams TURN relay infrastructure for C2, as well as the first wild exploitation of the Huawei HWAuidoOs2Ec.sys driver. The campaign’s sophistication and stealth highlight the evolving threat landscape facing organizations that rely on cloud-based collaboration platforms.
Victimology and Targeting
The primary confirmed victim is a major U.S. services firm, with the attack window spanning December 2025 to February 2026. The targeting profile suggests a focus on high-value organizations within the services sector, but the techniques employed are broadly applicable to any enterprise leveraging Microsoft Teams and vulnerable to BYOVD or DLL sideloading. Given DragonForce’s cartel structure and history of opportunistic expansion, other sectors and geographies—particularly those with extensive cloud collaboration footprints—should consider themselves at risk. The campaign’s reliance on generic infrastructure and commodity vulnerabilities further increases the likelihood of wider adoption by other threat actors.
Mitigation and Countermeasures
Organizations should implement continuous monitoring for anomalous outbound traffic to Microsoft Teams relay infrastructure, with particular attention to QUIC sessions not associated with normal Teams usage. Security teams should block or closely inspect connections to the identified C2 domains and IP addresses, including projetosmecanicos.com[.]br, socialbizsolutions[.]com, professionalhomebasedbusiness[.]com, safefire[.]jo, glanz-gmbh[.]de, turnkeyaiagents[.]com, comunidadesparentais.com[.]br, mysimerp[.]net, 62.164.177[.]25, and the malicious ZIP download at http://192.36.27[.]51/TechSupV18Fix3.zip. Endpoint detection and response (EDR) solutions should be configured to alert on unauthorized driver installations and DLL sideloading activity, particularly involving the vulnerable drivers listed above. Organizations must enforce least privilege principles and restrict the installation of unsigned or untrusted drivers. Regular audits of user and group accounts, as well as system configuration changes, are essential to detect persistence mechanisms. Finally, security awareness training should emphasize the risks associated with phishing and credential theft, which remain common initial access vectors.
References
Security.com Threat Intelligence: DragonForce Attackers Weaponize Microsoft Teams Relays – https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor Broadcom Protection Bulletin – https://www.broadcom.com/support/security-center/protection-bulletin/hidden-in-teams-dragonforce-attackers-weaponize-microsoft-teams-relays-to-stay-hidden Symantec Threat Hunter Team – https://www.broadcom.com/company/newsroom/press-releases?filtr=security Reddit: DragonForce ransomware exploits Microsoft Teams – https://www.reddit.com/r/pwnhub/comments/1u8brtf/dragonforce_ransomware_exploits_microsoft_teams/ MITRE ATT&CK Framework – https://attack.mitre.org/ Huntress Research on Huawei Driver – https://www.huntress.com/blog/huawei-driver-vulnerability
About Rescana
Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber risks across their digital supply chain. Our platform leverages continuous monitoring, threat intelligence, and automated workflows to provide actionable insights and enhance organizational resilience. For questions or further information, we are happy to assist at ops@rescana.com.
