A recent DragonForce ransomware attack has uncovered the use of Microsoft Teams relay servers for command-and-control operations, as reported by Symantec and Carbon Black’s threat hunter team. This innovative method highlights the group’s advanced tactics, reflecting their growing resourcefulness and organizational sophistication.
DragonForce’s Advanced Techniques
Established in 2023, the DragonForce group operates with a cartel-like structure, increasingly employing complex strategies. The newly detected malware, identified as Backdoor.Turn, is written in Go and disguises its communications as legitimate Microsoft Teams traffic. By obtaining an anonymous Teams visitor token and using Microsoft’s TURN relay, it establishes connections with the attacker’s actual command server, showcasing its sophistication.
This approach marks a first in malware development by leveraging the TURN relay infrastructure, an unprecedented move in ransomware attacks. The use of such bespoke tools by ransomware groups is notably rare, emphasizing DragonForce’s unique capabilities.
Impact on Targeted Firms
In a specific incident, DragonForce targeted a U.S. services company, likely compromised through a vulnerability in SQL or MSSQL servers. The attackers are believed to have purchased access from an access broker, gaining network entry in December 2025. Utilizing DLL sideloading, they executed additional malware from remote servers, ensuring persistence and security circumvention.
The strategy included reconnaissance and exploiting known driver vulnerabilities to achieve kernel-level access, allowing them to terminate security processes and deploy the ransomware for data encryption and exfiltration.
Maintaining Control and Persistence
Backdoor.Turn plays a crucial role post-ransomware deployment, enabling the execution of commands, process creation, network scanning, and credential exfiltration from compromised systems. It facilitates lateral movement using stolen credentials, complicating detection efforts as security software registers only legitimate Teams server traffic.
The sophisticated tactics employed by DragonForce underscore the challenge faced by cybersecurity defenses in detecting and neutralizing such advanced threats.
As cyber threats continue to evolve, understanding these methods is essential for developing effective countermeasures and safeguarding critical infrastructures.
