A notorious ransomware group secretly infiltrated the network of a major US services firm for up to two months by hiding command-and-control traffic inside Microsoft Teams, before launching its attack, according to a joint investigation published by Symantec and Carbon Black. The report details how DragonForce ransomware operators deployed a Go-based remote access trojan that researchers named Backdoor.Turn to abuse Microsoft Teams’ TURN relay servers, masking malicious traffic so it appeared identical to legitimate Teams activity.
Backdoor.Turn obtained an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, then used a legitimate Microsoft TURN relay to establish a connection. The attackers ran a QUIC transport layer session linking the infected machine to a server they controlled, while security products monitoring the network saw only outbound connections to genuine Microsoft Teams infrastructure. Researchers said this configuration left defenders unaware that data was being siphoned away.
The attackers compounded the evasion by deploying what was, at the time, an undocumented vulnerability in a Huawei driver, later detailed publicly by security firm Huntress in March 2026. To maintain long-term access, they altered system configurations, removed the Limit Blank Password security setting to simplify access to compromised machines, created new user accounts, and modified firewall rules to keep command-and-control communication flowing undisturbed.
Backdoor.Turn itself carried capabilities for code execution, network scanning, credential-based lateral movement across the network, and browser credential theft from compromised endpoints. Researchers believe the intrusion began when attackers exploited a vulnerability in an SQL or MSSQL server to gain initial access, before eventually deploying DragonForce ransomware to exfiltrate data and encrypt victim machines. It remains unclear whether the victim paid a ransom or whether the attackers agreed to delete the stolen data.
DragonForce has emerged as one of the most active ransomware groups currently operating, accounting for a significant share of recent ransomware incidents and claiming several major retailers among its victims.
Researchers described the group’s combination of Teams abuse and multi-vector evasion as marking it among the most capable and persistent ransomware operations active today, and will present these findings at the Area41 Cybersecurity Conference in Zurich, Switzerland, on June 18, 2026.
