GoKawiilDragonForce ransomware used a custom malware named 'Backdoor.Turn' to hide command-and-control traffic inside Microsoft Teams relay infrastructure.
The backdoor abuses the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to distribute messages when a direct connection to the client is unavailable (e.g., clients on a private network).
DragonForce is a ransomware operation active since at least 2023, that adopted a cartel-style organizational structure and has been linked to the infamous Scattered Spider threat group.
According to researchers at the cybersecurity company Symantec, the hackers used custom Go-based malware in an attack against a major U.S. services company.
Backdoor.Turn abuses Teams' TURN infrastructure by obtaining an anonymous Teams visitor token, using a legitimate Microsoft TURN relay during connection setup, and then connecting to the attacker's command-and-control (C2) server.
As a result, defenders see traffic associated with the Microsoft Teams infrastructure, allowing the malware to hide its communications within a trusted network.
Last year, Praetorian developed a new technique dubbed ‘Ghost Calls’, which showed how temporary TURN credentials for Teams and Zoom could be hijacked to create stealthy communication tunnels through trusted conferencing infrastructure.
While Ghost Calls demonstrated the concept in 2025, Backdoor.Turn is the first known in-the-wild malware to abuse Microsoft Teams TURN relays for command-and-control communications.
“Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams' TURN relay servers to mask command-and-control traffic,” Symantec says.
The researchers also highlight the exploitation of Huawei’s HWAuidoOs2Ec.sys driver ("Havoc Process Terminator"), which is used for evasion in Bring Your Own Vulnerable Driver (BYOVD) tactics.
... continue reading