- Symantec Confirms DragonForce Ransomware Operators Used Microsoft Teams TURN Relays for Covert C2 Traffic
- Custom Go-based RAT “Backdoor.Turn” hid malicious activity as normal Teams communications
- First use in the wilderness of the “ghost calls” technique; the campaign shows very sophisticated craftsmanship with Scattered Spider links
Experts have warned that cybercriminals are using Microsoft Teams relays as command and control (C2) infrastructure, mixing malicious traffic with innocuous corporate communications.
In Microsoft Teams, a relay is a server that helps route audio and video traffic when a direct connection between participants is not possible (for example, if they are on a corporate network or behind a firewall).
According to security researchers Symantec, in December 2025, DragonForce ransomware operators targeted a large US services company, likely abusing an unknown flaw in a SQL or MSSQL server to gain a foothold on their target’s network and, among other things, deployed custom backdoor malware called “Backdoor.Turn”.
Who is DragonForce?
Symantec claims that this backdoor abuses the Traversal Using Relays around NAT (TURN) protocol, a feature used by Teams when two (or more) participants cannot establish a direct connection. This way, defenders only see team traffic that is usually not scrutinized.
BeepComputer says this technique was first demonstrated in 2025 by Praetorian, who nicknamed it “Ghost Calls”, but this is the first time anyone has actually used it in the wild.
“Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams’ TURN relay servers to hide command and control traffic,” Symantec said.
DragonForce is an old group, by ransomware standards, first spotted in 2023. It has been linked to the infamous Scattered Spider organization and, in 2025, adopted a drug cartel model.
By offering a white label affiliate model, it allows others to use their infrastructure and malware while branding the attacks under their own name. With this model, affiliates do not need to manage infrastructure and DragonForce takes care of trading sites, malware development and data leak sites.
Symantec said the attackers carrying out this campaign are “using exceptionally sophisticated cyber commerce.” A complete list of Indicators of Compromise (IoC) can be found at this link.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
