DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

Threat actors linked to the DragonForce ransomware gang have deployed a custom Go-based remote access trojan called Backdoor.Turn to hide command-and-control traffic within Microsoft Teams relay infrastructure. Researchers at Symantec and Carbon Black discovered the backdoor during an incident affecting a major U.S. services firm.

The technique exploits Microsoft Teams' legitimate relay servers to tunnel malicious communications, making detection difficult for defenders. DragonForce uses this approach to maintain persistent access to compromised systems while evading network monitoring tools that typically flag suspicious C2 connections.

Backdoor.Turn operates as a full-featured RAT, granting attackers remote code execution capabilities on infected machines. The malware's use of Go provides cross-platform compatibility and makes reverse engineering more difficult than traditional C++ or .NET implementations.

The attack chain represents an evolution in DragonForce's operational tradecraft. Rather than relying on direct internet connections to external C2 servers, the group abuses a trusted cloud service that organisations rarely block. This "living off the land" approach reduces infrastructure costs and hardens the attackers' anonymity.

The incident occurred against an unidentified major U.S. services provider, suggesting DragonForce continues targeting high-value sectors. Services firms typically manage critical infrastructure for multiple downstream clients, making them attractive initial access points for ransomware operators planning broader attacks.

Organisations should implement strict application controls on Microsoft Teams, monitor relay traffic for anomalies, and assume that Teams communication represents a potential lateral movement vector during active compromises. Network segmentation remains essential, as does endpoint detection and response (EDR) solutions capable of identifying suspicious process behaviour regardless of the underlying communication protocol.

This development underscores a broader trend where ransomware groups increasingly rely on legitimate cloud services rather than dedicated malware infrastructure. Defenders must shift from blocking known