DragonForce Breached US Firm via SQL Flaw, Hid 2-Month C&C in Microsoft Teams
Updated
Updated · Infosecurity Magazine · Jun 16
DragonForce Breached US Firm via SQL Flaw, Hid 2-Month C&C in Microsoft Teams
1 articles · Updated · Infosecurity Magazine · Jun 16
Summary
Symantec and Carbon Black said DragonForce infiltrated a major US services firm in 2025, then exfiltrated data and encrypted machines after remaining inside the network for up to two months.
Researchers believe the intrusion began with an exploited SQL or MSSQL server vulnerability, after which the attackers used a Go-based RAT dubbed Backdoor.Turn to route command-and-control traffic through legitimate Microsoft Teams TURN relay servers.
That setup made malicious traffic appear as normal outbound Teams connections while the group executed code, scanned the network, stole browser credentials and moved laterally using harvested credentials.
The attackers also used a Huawei driver vulnerability, changed security settings, created user accounts and modified firewall rules to preserve access and keep remote control channels open.
Researchers said the Teams-based C&C and multi-vector BYOVD evasion show DragonForce is among the most capable ransomware groups now operating; it is unclear whether the victim paid a ransom.
How did hackers weaponize Microsoft Teams to stay hidden inside a major US firm for two months before their attack?
Are ransomware cartels creating cyber super-predators by sharing advanced hacking tools and infrastructure?
As attackers hide inside trusted software, are even the most advanced corporate cyber defenses becoming obsolete?
Inside the 2025–2026 DragonForce Ransomware Attack: Stealth, Microsoft Teams TURN Relay Abuse, and the Urgent Need for Cloud Security Reform
Overview
Between late 2025 and early 2026, the DragonForce ransomware group launched a highly sophisticated attack on a US firm, marked by stealth and innovation. They altered system configurations, such as removing the 'Limit Blank Password' setting and creating new user accounts, to gain and maintain deep access. By modifying firewall rules and leveraging Microsoft Teams TURN relay infrastructure, DragonForce hid their command and control traffic within normal enterprise communications, making detection extremely difficult. This attack highlights the urgent need for organizations to rethink cloud security, as traditional defenses struggle to spot threats hidden in trusted collaboration tools.