DragonForce Ransomware Exploits Microsoft Teams for Backdoor.Turn Malware

In the high-stakes arena of modern cybersecurity, threat hunters and network defenders rely heavily on a foundational assumption: legitimate enterprise infrastructure can be trusted. However, a groundbreaking discovery by threat intelligence researchers at Symantec and Carbon Black has shattered this security paradigm. The notorious DragonForce ransomware group, also tracked by analysts under the threat cluster name “Hackledorb,” has escalated its tactical sophistication by weaponizing Microsoft Teams’ legitimate relay servers. This complex mechanism allows the threat group to route malicious command-and-control (C2) traffic directly through trusted enterprise collaboration plumbing, leaving traditional security controls entirely blind. Under the cover of this camouflage, the attackers deployed a bespoke, Go-based remote access trojan (RAT) known as Backdoor.Turn, maintaining persistent, undetected access inside a major U.S. services firm for nearly two months before launching their final, destructive payload.

The Mechanics of Microsoft Teams Relay Abuse

To understand the depth of this campaign, one must examine the protocol at the heart of the exploit: Traversal Using Relays around NAT (TURN). Originally designed to facilitate seamless voice, video, and collaboration communications, the TURN protocol acts as a trusted intermediary, relaying real-time media flows when direct peer-to-peer (P2P) connections are blocked by strict firewalls, network address translation (NAT) devices, or secure web gateways. By leveraging these legitimate TURN relay servers, the DragonForce ransomware operators effectively turned Microsoft’s global infrastructure into an encrypted proxy network.

The technical connection flow engineered by the creators of Backdoor.Turn is extraordinarily precise, moving through the following phases:

• Authentication and Token Acquisition: The malware first communicates with Microsoft’s Skype-backed identity services to request and obtain an anonymous Teams visitor token.
• Relay Session Establishment: Utilizing this valid visitor token, the backdoor authenticates with Microsoft’s legitimate Teams TURN relay servers, establishing a trusted outbound socket.
• QUIC Tunneling: Once the relay connection is established, the malware initiates a QUIC (Quick UDP Internet Connections) session. It runs this modern, high-speed, and encrypted transport layer protocol over the TURN relay, routing it directly to the threat actor’s actual C2 server.

The Blindspot: Why Traditional Network Filters Failed

For decades, enterprise security architectures have relied on IP reputation, domain categorization, and Secure Web Gateways (SWGs) to filter out suspicious outbound connections. The brilliance of Backdoor.Turn lies in its ability to bypass these filters entirely. Because the outgoing packets from the infected endpoint terminate at verified, highly trusted Microsoft Teams IP addresses and domains, the traffic appears identical to standard corporate collaboration activity.

There is no rogue IP for an intrusion detection system (IDS) to flag, nor is there an uncategorized domain to trigger a firewall block. The traffic is treated as standard office productivity data. This allowed the attackers to maintain a covert communication channel for up to two months without raising a single flag on the victim’s network monitoring dashboards.

The Multi-Stage Attack Chain: From SQL Vulnerability to Kernel Infiltration

The intrusion, which began around December 2025, represents a masterclass in modern, multi-layered cyber espionage and extortion. Security analysts suspect that the threat actors gained initial entry by exploiting an unpatched vulnerability in an SQL or MS-SQL database server. Alternatively, they may have acquired access from an Initial Access Broker (IAB) who specialized in maintaining silent beachheads within corporate networks. Once inside, the operators acted swiftly to secure their presence, dropping a PowerShell command that retrieved a malicious ZIP archive disguised as an urgent tech support hotfix (e.g., TechSupV18Fix3.zip).

Initial Foothold and DLL Sideloading

Rather than executing noisy payloads directly, the DragonForce operators opted for a stealthy dual-execution method utilizing DLL sideloading. Within the retrieved ZIP archive was a legitimate, digitally signed VirtualBox executable paired with a malicious DLL file. When the benign application was executed, it automatically loaded the rogue DLL from its local directory, executing the attacker’s primary code within the security context of a trusted, signed application. This effectively blinded endpoint detection and response (EDR) platforms that rely primarily on binary signature verification.

Process Injection and Memory Evasion

To establish long-term persistence and protect their principal operational tools, the threat actors injected the Backdoor.Turn payload directly into the memory space of a legitimate Windows utility, specifically DbgView64.exe (Sysinternals DebugView). Running entirely in-memory allowed the Go-based RAT to evade file-based antivirus scanners. From this stealthy vantage point, Backdoor.Turn executed its primary instructions, which included:

• Harvesting SSL/TLS certificates and mapping local network topologies.
• Querying Active Directory via LDAP to map domains and identify high-value targets.
• Scraping saved credentials directly from endpoints and web browsers to facilitate lateral movement.

The BYOVD Strategy: Weaponizing Kernel Drivers to Silence EDRs

Even with highly disguised C2 traffic, ransomware operators face a significant threat from modern EDR tools that monitor endpoint behavior. To counter this, the affiliates of the DragonForce cartel deployed an aggressive “Bring Your Own Vulnerable Driver” (BYOVD) strategy. This technique involves installing a legitimate, digitally signed driver that contains known security vulnerabilities. Because the driver is signed by a trusted developer, the operating system permits its installation and execution in kernel space (Ring 0), where it can be abused to terminate security processes that would normally be protected from user-mode termination.

Exploiting the Huawei HWAuidoOs2Ec.sys Driver

The crown jewel of their evasion toolkit was a novel exploit leveraging the “Havoc Process Terminator” to abuse a Huawei laptop audio driver, tracked as HWAuidoOs2Ec.sys (also referenced as HWAudioOs2Ec.sys). At the time of the initial breach in late 2025, this vulnerability was entirely undocumented in the wild. While researchers at Huntress eventually analyzed and published details of the driver’s exploitable state in March 2026, the DragonForce group was already actively weaponizing it months prior. By sending a specific Input/Output Control (IOCTL) code (0x2248DC) alongside a 4-byte Process Identifier (PID) to the driver device, the attackers could terminate any endpoint security agent directly from the Windows kernel.

To ensure a complete blind spot, the attackers also exploited three other documented, vulnerable drivers:

1. CVE-2023-52271: A flaw in Topaz Antifraud’s wsftprm.sys driver.
2. CVE-2025-61155: A vulnerability found in Tower of Fantasy’s Gamedriverx64.sys driver.
3. CVE-2025-1055: A kernel exploit affecting K7 Security Anti-Malware’s K7RKScan.sys driver.

The Custom “Abyss Worker” Illusion

Adding another layer of complexity that sets this group apart from typical ransomware operations was their deployment of a custom driver dubbed Abyss Worker. Unlike standard BYOVD, which relies on legitimate, signed drivers, Abyss Worker is a purpose-built, entirely malicious driver that was compiled to masquerade as a legitimate Palo Alto Networks security component. This combination of standard BYOVD driver abuse with bespoke, masquerading kernel-level malware illustrates a significant level of investment and development maturity by the DragonForce group.

Post-Exploitation Actions and DragonForce Ransomware Deployment

Once the local endpoint protections were systematically dismantled and EDR agents silenced, the threat actors began altering the victim’s internal infrastructure to prepare for wide-scale encryption. To ensure uninterrupted remote access, the actors executed the following system manipulations:

• Disabling Password Restrictions: They removed the Windows LimitBlankPassword security policy, which allowed compromised systems to accept blank passwords for easier, unauthenticated remote access.
• Rogue Account Creation: The group created multiple new user accounts on local machines and Active Directory domains to preserve access in case their primary connection was severed.
• Firewall Modification: In