Symantec said DragonForce hid command-and-control traffic inside Microsoft Teams infrastructure during an attack on a major U.S. services firm, leaving defenders seeing only outbound connections to legitimate Microsoft servers.
Backdoor.Turn—a custom Go backdoor—gets an anonymous Teams visitor token, uses a Microsoft TURN relay for setup, then opens a QUIC session to the real C2 server in what Symantec says is the first known abuse of Teams relay infrastructure.
1-2 months on the network gave the attackers time to sideload malicious DLLs through VirtualBox and DbgView, alter firewall and account settings, and later deploy DragonForce ransomware to exfiltrate data and encrypt machines.
Several defense-evasion layers accompanied the intrusion, including BYOVD attacks against signed drivers and a novel use of Huawei's HWAuidoOs2Ec.sys to kill security processes with kernel-level access.
DragonForce, active since at least June 2023, has evolved from a RaaS operation into a more organized cartel, with Symantec describing Backdoor.Turn and the driver abuse as hallmarks of its post-2025 sophistication.
DragonForce turned legitimate drivers into attack tools. How can businesses defend against their own trusted software?
With hackers hiding inside Microsoft Teams, is any corporate communication channel truly safe from becoming a weapon?
As ransomware gangs evolve into cartels, are traditional cybersecurity defenses becoming obsolete against their operations?
Inside the 2025 DragonForce Breach: 2 Months of Undetected Ransomware via Microsoft Teams TURN Relays
Overview
In late 2025, the ransomware group DragonForce launched an unprecedented attack on a major U.S. services firm, showcasing their evolution from a typical ransomware-as-a-service model to a highly organized cartel. Demonstrating advanced organizational maturity and resource allocation, DragonForce remained undetected in the victim’s network for up to two months by cleverly hiding their command-and-control traffic within Microsoft Teams’ TURN relay infrastructure. This marked the first known case of malware abusing trusted SaaS relays for covert communications, highlighting a major leap in adversary tactics and signaling a new era of sophisticated, hard-to-detect cyber threats.