DragonForce Deploys First Known Malware Abusing Microsoft Teams TURN Relays for Stealth C2

The infection began with likely purchased access via an MSSQL exposure, followed by DLL sideloading, BYOVD driver exploitation for kernel access, and deployment of both ransomware and the Go-based backdoor. Backdoor.Turn obtains visitor tokens from Microsoft identity services, establishes TURN-relayed connections that appear as standard Teams traffic, and then tunnels to attacker infrastructure. This hides all C2 within expected enterprise flows, defeating signature-based detection on widely deployed collaboration platforms. Symantec researchers correctly identified the novelty but understated the broader pattern: multiple ransomware actors are shifting from custom domains to abused SaaS relay infrastructure. DragonForce's cartel structure and resource investment in custom Go tooling signals maturing operational capacity rather than opportunistic crimeware reuse. The technique exploits implicit trust in Microsoft cloud edge services without requiring account compromise. Defenders relying on tenant logs or Teams-specific monitoring will see only legitimate relay endpoints. Procurement records show Microsoft has expanded TURN capacity for global low-latency calling; this same scale now provides attackers durable, high-reputation egress paths. Expect similar abuse against other real-time collaboration relays within 12 months unless authentication or traffic-validation changes are introduced.