Attackers Weaponize Microsoft Teams Relays to Stay Hidden

Description

Attackers deploying DragonForce ransomware against a major U.S. services firm concealed their command-and-control traffic within Microsoft Teams relay infrastructure using Backdoor.Turn, a custom Go-based remote access trojan. This novel technique leverages anonymous Teams visitor tokens and TURN relay servers to mask malicious communications as legitimate Microsoft traffic. The intrusion lasted one to two months, beginning in December 2025 with exploitation of an SQL server vulnerability. Attackers employed sophisticated defense evasion tactics including DLL side-loading with VirtualBox executables and multiple Bring Your Own Vulnerable Driver techniques. They exploited a previously unknown vulnerability in Huawei's HWAuidoOs2Ec.sys driver, along with several other vulnerable drivers, to terminate security processes at kernel level. The campaign demonstrates DragonForce's evolution into a highly capable ransomware cartel with advanced operational maturity.