Cybersecurity researchers have uncovered a new malware campaign that shows how attackers are becoming more creative in hiding their activity inside normal business traffic. Instead of relying only on suspicious domains or obvious command-and-control servers, the attackers behind this campaign are abusing Microsoft Teams relay infrastructure to make malicious communications look like legitimate enterprise activity.
The campaign involves a Go-based Remote Access Trojan known as Backdoor.Turn, which has reportedly been linked to a DragonForce ransomware attack against a major U.S. services company. What makes this case especially concerning is not just the malware itself, but the way it blends into trusted Microsoft-related network traffic.
How Microsoft Teams Relay Infrastructure Is Being Abused
Microsoft Teams uses TURN relay servers as part of its communication infrastructure. TURN, or Traversal Using Relays around NAT, helps traffic move between clients when a direct connection is not possible, such as when users are behind private networks or restrictive firewalls.
In normal use, this is a legitimate part of how real-time communication platforms operate. However, in this campaign, attackers found a way to misuse that infrastructure. Instead of the malware communicating directly with attacker-controlled servers in an obvious way, Backdoor.Turn routes part of its communication through Microsoft's own relay services.
To security teams monitoring network traffic, this can make the activity much harder to identify. On the surface, the connection may appear to be ordinary outbound traffic to Microsoft services, when in reality it is being used to support attacker command-and-control activity.
Linked To A DragonForce Ransomware Intrusion
The campaign has been associated with DragonForce, a ransomware operation that has been active since at least 2023. DragonForce has gained attention not only because of its attacks, but also because of its cartel-style structure and reported links to the Scattered Spider threat group.
In the reported incident, attackers remained inside the victim's environment for nearly two months before being detected. That long dwell time gave them room to explore the network, collect credentials, move laterally, and prepare the environment for further compromise.
Backdoor.Turn was used as part of this operation to help conceal command-and-control traffic. By hiding behind Microsoft Teams-related relay traffic, the attackers reduced the chance that defenders would immediately spot unusual communication patterns.
A Stealthy Backdoor With Multiple Capabilities
Backdoor.Turn is designed to do more than simply maintain access. According to the advisory, it can support remote command execution, Active Directory enumeration, network scanning, credential theft, and lateral movement.
The malware reportedly requests an anonymous visitor token from Microsoft's Skype-backed identity services, uses it to authenticate with Teams infrastructure, and then establishes a relay session through TURN servers. After that, it initiates a QUIC session with the actual command-and-control server.
This approach is dangerous because many organisations naturally allow Microsoft-related traffic through their networks. If defenders are not inspecting behaviour closely, malicious activity can hide inside what appears to be trusted cloud or collaboration platform traffic.
Initial Access Remains Unclear
Researchers have not confirmed exactly how the attackers first entered the victim's environment. However, analysts believe the initial access may have involved an unknown SQL or MSSQL server vulnerability, or access purchased from an initial access broker.
This part matters because many ransomware campaigns begin long before the actual encryption event. Attackers often first gain a foothold through exposed systems, stolen credentials, or vulnerable internet-facing services. Once inside, they slowly expand access and prepare for the final stage of the attack.
In this case, the intrusion reportedly began in December 2025. The attackers later deployed a malicious ZIP archive containing a legitimate VirtualBox executable and a weaponised DLL. By using DLL sideloading, the malicious code was able to run under a trusted-looking process, helping it avoid immediate suspicion.
Attackers Modified Systems To Maintain Access
After the initial malware execution, the attackers carried out typical post-compromise activity. This included reconnaissance, credential harvesting, and movement across the network.
They also modified firewall rules, created additional user accounts, and changed system settings to preserve access. These actions suggest the attackers were not simply trying to deploy ransomware quickly. Instead, they were preparing the environment for long-term control and more reliable communication with their command-and-control infrastructure.
For defenders, this is a reminder that ransomware incidents are often multi-stage attacks. By the time ransomware is deployed, the attackers may already have spent weeks or months inside the network.
Security Tools Were Targeted At Kernel Level
One of the most serious parts of the campaign is its use of Bring Your Own Vulnerable Driver, or BYOVD, techniques. This method involves abusing legitimate but vulnerable drivers to disable security tools at a deep system level.
In this campaign, attackers reportedly used several vulnerable drivers, including a Huawei driver described by Symantec researchers as a "Havoc Process Terminator." Other abused drivers were linked to known vulnerabilities, and the attackers also deployed a malicious driver called Abyss Worker, disguised as a legitimate Palo Alto driver.
The purpose was clear: terminate or weaken endpoint security processes so the attackers could continue operating with less resistance. When threat actors start attacking security tools directly, it usually means they are moving into the later and more aggressive stages of an intrusion.
Why This Campaign Is Difficult To Detect
The main challenge is that the malicious traffic is designed to look normal. Many companies rely heavily on Microsoft Teams, so traffic to Microsoft-related domains is expected in most enterprise environments.
That means simple domain-based blocking or allowlisting is not enough. If defenders only see that traffic is going to Microsoft infrastructure, they may miss the unusual behaviour hidden inside the connection pattern.
This is why behavioural detection becomes important. Security teams need to look at unusual session lengths, unexpected QUIC activity, strange outbound communication frequency, large data transfers, and suspicious changes to local system configuration.
Recommended Defensive Measures
Security researchers recommend that organisations improve visibility around outbound traffic and pay closer attention to communication patterns involving trusted platforms. Microsoft services may be legitimate, but that does not mean every connection using them is automatically safe.
Organisations should also enforce vulnerable driver blocklists to reduce the risk of BYOVD attacks. This includes using Microsoft's vulnerable driver blocklist and strong application control policies to prevent known risky drivers from being loaded.
Another important step is monitoring local configuration changes. Sudden firewall rule modifications, unexpected user account creation, relaxed password policies, or other unauthorised system changes should be treated as possible warning signs.
Patch management is also critical. Internet-facing web, SQL, and database systems should be updated quickly, because exposed and unpatched systems are often used as entry points for ransomware groups.
A Reminder That Trusted Platforms Can Be Misused
This campaign is a strong reminder that attackers do not always need obscure infrastructure to stay hidden. Sometimes, they abuse platforms that organisations already trust and use every day.
Microsoft Teams itself is not the only issue here. The bigger lesson is that cloud services, collaboration platforms, and enterprise communication tools can become useful cover for attackers when monitoring is too broad or too trusting.
For organisations, the response should not be panic, but better visibility. Teams and other enterprise platforms remain essential tools, but security teams need to monitor how they are being used, not just whether the destination appears legitimate.
As ransomware groups continue to evolve, the line between normal business traffic and hidden malicious activity is becoming harder to see. Campaigns like this show why modern defence requires behavioural analytics, strong endpoint protection, strict driver controls, and careful monitoring of trusted service traffic.
Comments