DragonForce ransomware uses Microsoft Teams for covert command and control

As reported by Bleeping Computer, DragonForce ransomware has been observed using a novel technique to hide its command-and-control (C2) traffic by routing it through Microsoft Teams' relay infrastructure.

The DragonForce ransomware operation, active since 2023 and linked to the Scattered Spider threat group, has employed custom Go-based malware dubbed "Backdoor.Turn". This malware abuses the Traversal Using Relays around NAT (TURN) protocol, which Microsoft Teams uses for message relay when direct connections fail. By obtaining an anonymous Teams visitor token and using legitimate Microsoft TURN relays, attackers can mask their C2 communications as normal Teams traffic, making detection significantly harder for defenders. This tactic was first conceptualized in 2025 by Praetorian with the "Ghost Calls" technique but Backdoor.Turn is the first known malware to implement it in the wild.

The observed attack against a U.S. services company in December 2025 involved exploiting an SQL server flaw, followed by privilege escalation using multiple vulnerable drivers (BYOVD) to disable security tools. The Backdoor.Turn RAT was later deployed for persistence and data exfiltration before the final ransomware encryption. Researchers noted the attackers' sophisticated methods and have provided indicators of compromise.

Source: Bleeping Computer