DragonForce's Backdoor.Turn: Ransomware C2 That Rides Microsoft Teams Relays

For one to two months, a major U.S. services firm had a ransomware operator living inside its network, and every network security tool it owned reported the same thing: outbound connections to legitimate Microsoft Teams servers. Nothing to see. On 16 June 2026, Symantec's Threat Hunter team disclosed why: the DragonForce affiliate had deployed a Go-based backdoor, Backdoor.Turn, that hides its command-and-control channel inside Microsoft Teams' own media-relay infrastructure. To Symantec's knowledge, it is the first time TURN relay infrastructure has been abused this way in the wild — and it collapses one of the last assumptions defenders still rely on: that traffic to a trusted, well-known cloud destination is benign.

How Backdoor.Turn turns Microsoft Teams into a C2 channel

The mechanism is elegant in the way that good tradecraft usually is — it adds nothing exotic to the network, it borrows something that is already there. Teams (like Zoom and most WebRTC conferencing) uses TURN servers — Traversal Using Relays around NAT — to relay audio and video when two endpoints can't connect directly. TURN relays are, by design, general-purpose packet forwarders sitting on Microsoft's infrastructure, reachable by any client that presents a valid short-lived credential.

Backdoor.Turn walks straight through that front door:

1. It requests an anonymous Teams visitor token from Microsoft's Skype-backed identity services — no tenant account, no authentication trail in the victim's own directory.
2. It uses that token to allocate a legitimate Microsoft TURN relay.
3. It opens a QUIC session through the relay to the attacker's real C2 server.

From the wire, the infected host is talking to *.teams.microsoft.com-class endpoints over UDP/QUIC — the exact pattern a laptop in a video call produces. The Symantec and Carbon Black analysts put it plainly:

"The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors."

That single design choice neutralizes the entire category of destination-based detection: IP reputation, domain blocklists, TLS-SNI inspection, threat-intel feeds of known-bad C2 hosts. None of them fire, because the destination is genuinely Microsoft.

From Ghost Calls research to in-the-wild ransomware

This did not come out of nowhere, and that is the part worth sitting with. At Black Hat USA 2025, Praetorian researcher Adam Crosser presented "Ghost Calls" — a technique for tunneling C2 through the TURN servers of Zoom and Microsoft Teams using legitimate credentials and WebRTC, no exploit required. Praetorian even shipped an open-source tool, TURNt, with a controller/relay split, SOCKS proxying, port forwarding, and exfiltration built in. The whole point of Ghost Calls was that conferencing media servers are globally distributed, low-latency, and universally allowlisted — so interactive C2 sessions blend into "someone joined a meeting."

Roughly ten months later, DragonForce — a group Symantec tracks as Hackledorb, operating a ransomware-as-a-service that has matured into a cartel structure since June 2023 — productized the same idea into a Go RAT and put it inside a live ransomware intrusion. The lag between a conference-stage proof of concept and a named ransomware crew using it in anger is the entire story of modern offense: published technique today, weaponized variant on your network next quarter. Anyone who watched the Black Hat talk and filed it under "interesting, not urgent" just learned the cost of that filing.

Why your NDR and EDR saw legitimate Microsoft traffic

Defenders had three monitoring surfaces here, and the design defeats all three on the network side:

• Destination reputation — useless. The TURN relay is Microsoft-owned and on every allowlist on earth.
• Protocol signatures — useless. QUIC inside a TURN allocation is exactly what real Teams media looks like; there is no malformed packet, no odd port, no self-signed cert to flag.
• Identity correlation — useless. The anonymous visitor token never touches the victim's tenant, so there is no sign-in event, no Conditional Access log, no MFA prompt to anchor an alert.

On the endpoint, DragonForce went further and dismantled EDR directly with a multi-vector Bring-Your-Own-Vulnerable-Driver campaign — signed, legitimate kernel drivers loaded specifically to kill or blind security agents. Symantec documented an unusually broad driver arsenal, including a novel abuse of the Havoc Process Terminator:

Driver	Origin	Vulnerability	Role
HWAuidoOs2Ec.sys	Huawei	Havoc Process Terminator (novel)	Terminate security processes
wsftprm.sys	Topaz Antifraud	CVE-2023-52271	Process termination
Gamedriverx64.sys	Tower of Fantasy	CVE-2025-61155	Kernel-level kill
K7RKScan.sys	K7 Security	CVE-2025-1055	Defense evasion
Abyss Worker driver	Custom malicious	—	EDR disablement

When the host agent is being terminated from the kernel and the network channel is indistinguishable from a video call, the defender's two primary witnesses are both gone. That is not bad luck; it is the explicit objective of the toolchain.

One to two months of dwell before the first file was encrypted

The detail that should reframe the threat model is the timeline. Per the Symantec investigation and corroborating reporting from Help Net Security, the initial compromise traced to December 2025, and the operator sat inside the environment for one to two months before deploying ransomware. During that window Backdoor.Turn was busy with the unglamorous work that precedes every big-game encryption event:

• command execution and process creation,
• network scanning,
• LDAP and Active Directory enumeration,
• credential-based lateral movement,
• browser credential theft.

None of that is encryption. All of it is the staging — the reconnaissance, privilege escalation, and lateral fan-out that determine whether the eventual ransomware hit locks one share or the whole estate. A defender who only recognizes ransomware at the moment files start changing extension has already lost the month that mattered. The encryption is the receipt, not the attack.

What actually catches this: behavior, not destination

If destination reputation, signature inspection, and identity correlation are all defeated by design, the only remaining signal is behavior on the wire — and that signal is still loud, because the content of the channel lies but the shape of it does not. A back-office file server holding a sustained, weeks-long QUIC session through a TURN relay is an anomaly no matter how legitimate the relay is: that host has no business "joining a meeting," and it certainly has no business doing so continuously while it also enumerates Active Directory and fans out over SMB. The destination is trusted; the behavior is absurd.

This is the exact gap Zero Hunt's AI Traffic Analysis pillar was built to close. It is a proprietary deep-learning model trained on billions of PCAP sequences, running locally on the appliance GPU at a 2.7+ Gbit/s baseline, with four parallel inference heads — suspicious traffic, malware classification, attack-type identification, and application fingerprinting. It does not ask "is this destination on a blocklist." It asks whether this host, given everything it has ever done, should be holding this session — a QUIC tunnel to a relay from a server that has never video-called anything, running for weeks, co-occurring with AD enumeration and lateral SMB writes. That composite is anomalous even when every individual packet is pristine Microsoft traffic, and the model flags it during the one-to-two-month dwell, not in the next morning's SIEM digest after the files are locked.

The endpoint side has an answer too, and it is the second pillar. The BYOVD blind spot — drivers like the Huawei and Tower of Fantasy ones above, loaded specifically to disable defenses — is precisely what continuous, assumed-breach validation is for. Zero Hunt's 10-agent generative pentest runs the Post-Exploit and Pivot agents against your real environment to test whether a planted vulnerable driver, a forged Teams visitor token, or an unmonitored QUIC egress path actually works before a DragonForce affiliate tries it — every exploit chain generated per-target by a local LLM, backtested in the AI Gym, and ECDSA-signed into the evidence trail. The traffic model is the witness that survives EDR being killed; the generative engine is the rehearsal that finds the path the kill exploited, while it is still just a finding and not a transom note.

DragonForce's contribution to the field is not a new exploit. It is a reminder that "trusted destination" was never a security property — and that on a network where the malware borrows Microsoft's own relays, the only thing left to trust is whether the behavior makes sense.