Cybersecurity researchers have uncovered a new strategy employed by the DragonForce ransomware group, involving a Go-based remote access trojan (RAT) called Backdoor.Turn. This malware cleverly disguises its command-and-control (C2) operations within Microsoft Teams’ relay infrastructure, making detection by network defenders challenging.
Infiltration and Deployment
Reports from Symantec and Carbon Black indicate that Backdoor.Turn has been used against a significant U.S. service provider, the identity of which remains undisclosed. The trojan works by acquiring an anonymous Teams visitor token through Microsoft’s Skype-backed services, leveraging a legitimate Microsoft TURN relay to initiate a connection. A QUIC session then links to the attacker’s actual C2 server, effectively masking the malicious activity as normal Teams traffic.
This marks the first recorded instance of Microsoft’s Traversal Using Relays around NAT (TURN) infrastructure being exploited in this manner. Investigators suspect initial access was gained through a vulnerability in SQL or MS-SQL servers, although details are unclear. An alternative theory is that access was bought from an initial access broker (IAB).
Technical Tactics and Techniques
The intrusion began in December 2025, with attackers executing a PowerShell script to deploy a ZIP archive masquerading as a technical support fix. This archive facilitated a DLL side-loading attack, running a harmful DLL to perform reconnaissance, establish persistence, and disable security systems using a Huawei driver known as “HWAuidoOs2Ec.sys.” This operation utilized a method called bring your own vulnerable driver (BYOVD), a technique also seen in a large-scale malvertising campaign aimed at U.S. individuals seeking tax documents.
A key aspect of the attack involves injecting Backdoor.Turn into the legitimate DbgView64.exe process post-ransomware deployment, suggesting a strategy to maintain future access or profit through resale. This stealthy communication technique, highlighted by Praetorian in 2024 as Ghost Calls, allows the backdoor to execute commands, create processes, scan networks, and steal browser credentials, among other functionalities.
Implications and Future Outlook
These revelations highlight DragonForce’s sophisticated tactics, underlining their shift from a typical ransomware-as-a-service (RaaS) model to an organized cartel structure. Their continued evolution and adoption of advanced techniques have made them one of the most formidable ransomware groups currently active. The deployment of Backdoor.Turn and their multi-faceted BYOVD evasion underscore their capability and persistence in executing high-impact, targeted cyber-attacks.
As the cybersecurity landscape evolves, it is crucial for organizations to stay vigilant and update their defense mechanisms to counteract such advanced threats. Understanding the methodologies of groups like DragonForce can aid in developing more robust security strategies to prevent and mitigate potential breaches.
