A notorious ransomware group secretly infiltrated the network of a major company for up to two months by hiding command and control (C&C) traffic in Microsoft Teams, before unleashing their attack, researchers have warned.
The investigation report, published by Symantec and Carbon Black on 16 June, warned that attackers deployed DragonForce ransomware on the network of a “major US services firm.”
The cybercriminals used a Go-based Remote Access Trojan (RAT) to abuse Microsoft Teams’ TURN relay servers and mask command-and-control traffic. The backdoor, which researchers dubbed Backdoor.Turn, altered the traffic so all defenders could see was outbound connections to legitimate Microsoft Teams servers.
Backdoor.Turn was used to obtain an anonymous Teams visitor token from Microsoft’s Skype-backed identity services before using a legitimate Microsoft TURN relay to set up a connection. The attackers then ran a QUIC transport layer network protocol session which linked the infected machine to an attacker-controlled server.
The attackers also deployed what, at the time of the attack, was as an undocumented vulnerability in a Huawei driver to help mask their activity. The vulnerability was later detailed by Huntress in March 2026.
To help maintain persistence on the network the attackers altered configurations and systems. This included removing the Limit Blank Password security setting to allow for easy access to the compromised machines, creating new user accounts to maintain or gain additional access and modifying firewall rules to facilitate remote access and ensure C&C communication remained unhindered.
Read more: Why Ransomware Remains One of Cybersecurity’s Most Persistent and Costly Threats
These capabilities, combined with the capabilities of Backdoor.Turn – code execution, network scanning, credential-based lateral movement within the network and browser credential theft from compromised endpoints – allowed the attackers to secretly gain remote access to the network overtime.
All of this was abetted by stealthily hiding in C&C traffic in Microsoft Teams.
“The attackers in this campaign use exceptionally sophisticated cyber tradecraft. The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors,” researchers warned in the blog post.
This incident took place in 2025, and the attackers were able to deploy DragonForce ransomware to exfiltrate data and encrypt the victim machines. There is no indication as to whether the victim paid the ransom to obtain the decryption key or encouraged the attackers to delete the data. Researchers believe the attack started when the attackers gained access to the victim network by exploiting a vulnerability in either an SQL or MSSQL server.
DragonForce has become one of the most notorious ransomware groups of recent times, accounting for a significant percentage of incidents and the group has claimed several major retailers as victims.
“The deployment of Backdoor.Turn, combined with their multi-vector BYOVD evasion, marks them as one of the most capable and persistent ransomware groups operating today,” researchers warned.
