DragonForce ransomware operators spent between one and two months inside a major US services firm before deploying encryption — concealing every command-and-control communication inside legitimate Microsoft Teams relay infrastructure. Symantec (Broadcom) disclosed the technique on 16 June 2026, identifying a custom Go-based remote access trojan they track as Backdoor.Turn. The evasion method represents the first known weaponisation of Microsoft’s TURN relay infrastructure as a C2 channel and defeats network-based detection tools that cannot distinguish malicious QUIC traffic from legitimate Teams collaboration traffic.
Technical Mechanism
Backdoor.Turn obtains an anonymous visitor token from Microsoft’s Skype-backed identity services — a feature designed to allow unauthenticated guests to join Teams meetings. It then uses a legitimate Microsoft TURN (Traversal Using Relays around NAT) relay to establish a covert QUIC session to the attacker’s real C2 infrastructure. To any network security product monitoring outbound connections, the only observable traffic is outbound connections to Microsoft-owned IP addresses on standard Teams ports.
The backdoor’s capabilities extend well beyond simple connectivity. Confirmed functions include: command execution, process creation, network scanning, TLS certificate capture, LDAP and Active Directory enumeration, lateral movement using stolen credentials, and browser credential extraction. Combined, these capabilities give operators persistent, privileged access with the same visual footprint as a user attending a Teams meeting.
Attack Chain
Symantec attributes initial access to an unpatched vulnerability in a Microsoft SQL or MSSQL Server instance. Following initial compromise, the operators deployed four separate Bring Your Own Vulnerable Driver (BYOVD) techniques to terminate endpoint detection and response software before deploying Backdoor.Turn for persistence and exfiltration. The pre-encryption phase lasted one to two months — consistent with DragonForce’s documented pattern of extended reconnaissance and data theft before ransom deployment.
DragonForce, tracked by Symantec as Hackledorb, has been active since at least June 2023 and has evolved from a standard ransomware-as-a-service model into a structured cartel operation, with affiliates responsible for initial access and the core team providing tooling and negotiation infrastructure.
Sector Implications
The TURN relay abuse is significant beyond this single incident. Microsoft Teams is deployed across virtually every large enterprise in finance, professional services, critical infrastructure, and government. Any organisation using Teams — including the majority of targets DragonForce historically pursues — has pre-existing outbound connectivity to Microsoft relay infrastructure, meaning the evasion technique requires no new network allowances and generates no anomalous firewall alerts.
The MSSQL initial access vector is particularly relevant to finance and professional services environments where SQL Server instances frequently exist in internet-exposed or poorly segmented configurations. Combined with the BYOVD EDR termination chain, this attack successfully neutralised both network-layer and endpoint-layer detection mechanisms.
Recommended Actions
Restrict Teams anonymous token generation. Microsoft allows administrators to disable anonymous meeting join in Teams admin settings. Disabling this feature removes the mechanism Backdoor.Turn uses to obtain its initial relay token. Organisations that do not require anonymous Teams join — the majority of enterprise deployments — should disable it immediately.
Implement MSSQL hardening. Audit all internet-exposed SQL Server instances. Apply current patches, enforce network-level access controls, and rotate credentials on any instance that may have been externally accessible. MSSQL initial access is a recurrent pattern across multiple ransomware groups, not only DragonForce.
Monitor for BYOVD driver patterns. DragonForce used four BYOVD techniques against a presumably patched EDR deployment. Cross-reference currently deployed vulnerable driver signatures against the LOLDrivers database and enforce driver blocklisting via Windows Defender Application Control or equivalent.
Inspect QUIC traffic. Where QUIC traffic cannot be inspected at the network perimeter, consider restricting UDP 443 to only approved endpoints. This affects some legitimate applications but eliminates a growing class of C2 evasion that specifically targets environments that block only TCP-based exfiltration.
The broader implication is that collaboration infrastructure — Teams, Slack, and similar platforms — is becoming an increasingly attractive C2 channel precisely because it has blanket network allowance in enterprise environments and generates no alerts. Defenders should begin treating outbound collaboration traffic as no more trusted than any other outbound channel.