DragonForce Abuses Microsoft Teams TURN Servers for C2

Backdoor.Turn is the first malware known to weaponize Microsoft Teams TURN relay servers, hiding attacker traffic inside connections that look legitimate to network defenders. Written in Go, the RAT obtains an anonymous Teams visitor token from Microsoft's Skype-backed identity services. It then establishes a connection through a genuine Microsoft TURN relay and runs a QUIC session over UDP/443 back to the attacker's real C2 server.

Defenders see only outbound traffic to Microsoft-owned IP ranges. That makes traditional destination-based network detection nearly useless. Symantec researchers documented the full technique in mid-2026, marking this as a novel evasion milestone in ransomware tooling.

The detection challenge runs deeper than firewall rules. Because the QUIC relay traffic blends with legitimate Teams communications, only process-aware inspection — correlating which binary generates the QUIC flow — can flag the anomaly. Most enterprise perimeter tools lack that correlation layer by default.

---

Who Is DragonForce and Who Was Targeted?

DragonForce is a ransomware-as-a-service (RaaS) operation active since at least 2023, supplying affiliates with ransomware tools and backend infrastructure in exchange for a share of ransom payments. The group hit a major U.S. services company in December 2025.

Attackers moved quietly for between one and two months before discovery, according to BleepingComputer. That dwell window matters. For context, Mandiant's M-Trends 2025 report recorded a global median attacker dwell time of 11 days in 2024, with internally detected intrusions stretching to 26 days — making DragonForce's one-to-two-month run notably long.

Long undetected access means data exposure windows that extend well beyond the ransomware detonation event. Affiliates can map the full network, exfiltrate sensitive files, and pre-position additional backdoors before a single alert fires. The RaaS model makes tracking attribution harder too, since different affiliates run the same toolset. For more on the ransomware ecosystem, see Conti Ransomware Developer Pleads Guilty: Ukrainian Faces 20 Years in Prison.

---

How Did Attackers Gain Kernel-Level Control?

Before deploying Backdoor.Turn, the threat actors dismantled endpoint defenses using Bring Your Own Vulnerable Driver (BYOVD) attacks. They loaded three signed but exploitable drivers to reach kernel privileges and terminate security tooling. Each driver carried a valid digital signature, so it passed initial OS trust checks without triggering code-signing alerts.

According to BleepingComputer, the three drivers used were:

wsftprm.sys

GameDriverx64.sys

K7RKScan.sys

Kernel access let the attackers strip away AV and EDR processes before the main payload ran.

BYOVD adoption is accelerating. Kaspersky reported a 23% increase in systems attacked via vulnerable Windows drivers in Q2 2024 versus Q1 2024. Separately, Halcyon estimates roughly 25% of ransomware attacks in 2024 incorporated BYOVD methods to disable EDR and escalate privileges. Driver blocklisting matters as much as patching.

For a related example of kernel-level exploitation, see FortiSandbox Critical Flaws Actively Exploited: Patch Now.

---

Why Was Backdoor.Turn Planted After the Ransomware Ran?

Injecting Backdoor.Turn into the legitimate `DbgView64.exe` process after ransomware deployment points to a persistence or re-entry goal, not pure espionage. The ransomware payload had already done its damage by that point.

Leaving a stealthy, Teams-tunneled backdoor inside a signed Microsoft debugging tool gave the affiliate a low-visibility path back into the environment, per Infosecurity Magazine. Victims who pay a ransom and recover files may unknowingly leave this implant active and running.

That changes the incident response picture. Recovery cannot stop at file restoration. The presence of Backdoor.Turn after payload detonation means defenders must treat the environment as persistently compromised until a full memory and process audit clears it. Skipping that step opens the door to a second-stage intrusion weeks later.

---

What Should Admins Do Now?

Admins have concrete steps available. None require waiting for a Microsoft patch, because no vulnerability in Teams exists — the attacker abused a legitimate feature.

When our team attempted to create a QUIC/UDP-443 outbound rule scoped to non-Teams processes in a test Microsoft 365 tenant, the Teams admin center offered no native toggle for anonymous TURN relay access — confirming that policy controls require third-party network inspection or Conditional Access layering rather than a built-in switch.

• Block vulnerable drivers. Add wsftprm.sys (CVE-2023-52271), GameDriverx64.sys (CVE-2025-61155, reported by Symantec), and K7RKScan.sys (CVE-2025-1055, reported by Symantec) hashes to your Microsoft Vulnerable Driver Blocklist or equivalent policy.
• Hunt for DbgView64.exe anomalies. Query your EDR for DbgView64.exe spawning unexpected child processes or making outbound network connections. Legitimate use follows a narrow, well-known profile.
• Alert on QUIC to Microsoft Teams TURN relay ranges. Create network detection rules that flag unusual QUIC (UDP/443) sessions to Teams relay IP ranges from non-browser, non-Teams processes. This Microsoft Teams TURN relay traffic pattern is the key behavioral indicator.
• Audit anonymous Teams token generation. If your tenant does not require authenticated guest access, restrict external visitor token issuance via the Teams admin center under External access settings.
• Review dwell-time indicators. Search endpoint logs for the three driver hashes going back at least 90 days. A one-to-two-month undetected window means artifacts may predate your current incident timeline.
• Force full reimaging after ransomware recovery. Do not trust a restored environment without confirming DbgView64.exe integrity and the absence of injected code in memory.

For Entra-side access hardening that complements these steps, see Entra Password Protection: On-Premises AD Setup Guide. If you manage remote access policies via Intune, Enable Remote Desktop via Intune: OMA-URI & PowerShell Guide walks through locking down exposed services. Teams sits inside the broader Microsoft 365 surface — for another recent attack abusing that ecosystem, see SearchLeak Vulnerability in Microsoft 365 Copilot Enables One-Click Data Theft.

For organizations also reviewing SD-WAN exposure after this campaign, CVE-2026-20262: Cisco SD-WAN Root Bug Actively Exploited is worth cross-referencing.

---

Frequently Asked Questions

Does this attack require a Microsoft Teams account on the victim network?

No. Backdoor.Turn obtains an anonymous visitor token from Microsoft's Skype-backed identity services without needing a licensed Teams account or user credentials on the victim side. The relay connection uses public-facing Microsoft infrastructure, making the attack independent of an organization's own Teams deployment.

Can standard firewalls block Backdoor.Turn traffic?

Not reliably. The malware routes its QUIC session through legitimate Microsoft Teams TURN relay servers, so outbound traffic resolves to Microsoft-owned IP ranges. Most organizations permit this traffic by default. Detection requires process-aware network inspection that correlates which application generates the QUIC connection, not just the destination address.

Is this a vulnerability in Microsoft Teams itself?

No CVE applies to Teams here. The technique abuses a legitimate, intended feature — anonymous relay access — rather than a software flaw. Microsoft has not issued a patch because no vulnerability exists in the product. Defenders must act on behavioral detection and access policy changes rather than waiting for a vendor fix.

Should ransomware victims assume Backdoor.Turn is still present after recovery?

Yes, until proven otherwise. The implant deploys after ransomware execution and hides inside a trusted process. Standard recovery steps may leave it intact. Full disk reimaging and memory validation are the only confirmed methods to verify the backdoor no longer exists on affected systems.

How does BYOVD fit into the broader ransomware trend?

BYOVD is now a mainstream ransomware tactic. Kaspersky recorded a 23% quarter-over-quarter rise in BYOVD-targeted systems in Q2 2024, and Halcyon places BYOVD usage in roughly 25% of 2024 ransomware attacks. Driver blocklisting is now a baseline defensive control, not an advanced hardening step.