Cybercriminals are increasingly manipulating trusted cloud platforms to avoid detection, with a recent campaign revealing how Microsoft Teams infrastructure is being exploited to conceal malicious activities.
The Symantec Threat Hunter Team has identified a new Go-based remote access Trojan (RAT) known as Backdoor.TURN. This malware utilizes Microsoft Teams TURN relay servers to mask command-and-control (C2) communications as legitimate enterprise traffic.
DragonForce Ransomware Campaign
This malicious activity is linked to DragonForce, a ransomware group targeting a major U.S. services company. The attackers managed to remain undetected for up to two months, according to Symantec’s findings.
The malware obscures its traffic by routing through Microsoft’s servers, making it appear as regular connections to Teams services. This tactic complicates detection efforts for security teams.
Technical Details of the Intrusion
Backdoor.TURN initiates its operations by obtaining an anonymous visitor token from Microsoft’s identity services. This token is used to authenticate with Teams infrastructure, establishing a relay session through TURN servers.
Once connected, a QUIC session is started with the actual C2 server. This method ensures that only benign traffic to Microsoft domains is visible, effectively hiding the malicious activity.
The initial attack vector is unclear, but Symantec suggests potential exploitation of SQL or MSSQL vulnerabilities or access through an initial access broker. The intrusion reportedly commenced in December 2025.
Advanced Evasion Techniques
The attackers employed a Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools at the kernel level. A Huawei driver, among others linked to specific CVEs, was exploited as a “Havoc Process Terminator.”
A custom driver, Abyss Worker, was also used, disguised as a legitimate Palo Alto driver, to terminate security processes. The Backdoor.TURN payload was injected into the DbgView64.exe process following ransomware execution.
Symantec’s analysis indicates that the malware could serve for persistence or enable future access, possibly for resale to other threat actors.
Symantec emphasizes that this is the first recorded instance of Microsoft Teams TURN relay infrastructure being used in this manner, highlighting a sophisticated evolution in hacking strategies.
Implications for Enterprise Security
DragonForce, tracked by Symantec as Hackledorb, has become a highly organized and advanced threat group. Their use of trusted cloud infrastructure coupled with novel exploitation techniques signifies a growing trend in cyberattacks.
Symantec warns that blending malicious traffic with legitimate services significantly reduces defenders’ visibility, stressing the need for enhanced behavioral detection and stricter control over vulnerable drivers and communication platforms.
For the latest updates on cybersecurity threats, follow us on Google News, LinkedIn, and X.
