Bottom Line: Ransomware group DragonForce disguises its command-and-control traffic via Microsoft Teams’ TURN protocol and exploits multiple CVEs and kernel exploits to bypass security software.
The ransomware group DragonForce has employed a new tactic in an attack on a US service company: it uses the TURN protocol of Microsoft Teams to disguise its command and control traffic. This masks the data traffic as legitimate Teams communication and evades network monitoring.
Security researchers at Symantec have documented the malware Backdoor.Turn, a remote access trojan developed in the Go programming language that abuses Microsoft Teams’ TURN protocol (Traversal Using Relays around NAT). The protocol is normally used in Teams to relay messages when a direct connection to clients in private networks is not possible. The malware requests an anonymous visitor token for Microsoft Teams upon connection and then establishes a connection to the attackers’ command-and-control server via a legitimate Microsoft relay—causing this traffic to be indistinguishable from regular Teams communication to network defenders.
Backdoor.Turn is the first malware observed in the wild to actively exploit this technique, although the theoretical concept of “Ghost Calls” was already demonstrated by security firm Praetorian in 2025. The documented attack allegedly began by exploiting an unknown vulnerability in a SQL or MSSQL server. After gaining access, the group installed malicious drivers with kernel privileges via DLL sideloading (BYOVD tactic) to disable local security tools: CVE-2023-52271 (Topaz Antifraud), CVE-2025-61155 (Tower of Fantasy), CVE-2025-1055 (K7 Security), as well as a Huawei driver (HWAuidoOs2Ec.sys) and the malicious driver ABYSSWORKER.
The Backdoor.Turn trojan was injected into the DbgView64.exe process and provided comprehensive functionality: command execution, process creation, network scanning, TLS certificate theft, LDAP queries, and browser credential theft. To maintain persistence in the system, the actors also manipulated firewall rules and Windows security policies. Following reconnaissance activities, data exfiltration occurred and the DragonForce ransomware was activated to encrypt the system.
For CISOs, this represents an escalation of the threat landscape: legitimate communication protocols and cloud services such as Teams are being abused as command channels, rendering traditional network signatures ineffective. In parallel, multiple vulnerabilities in popular drivers are exploited to bypass security software. The combination of kernel exploits, supply chain masquerading (ABYSSWORKER disguised as Palo Alto software), and relay abuse requires multilayered countermeasures across the kernel, network, and identity layers.
Source: www.it-daily.net · Published June 18, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.1.