Attackers deploying the DragonForce ransomware against a major U.S. services firm hid their command and-control traffic (C&C) inside Microsoft Teams’ own relay infrastructure, using a custom Go-based backdoor that Symantec is tracking as Backdoor.Turn. To network defenders, the only traffic they could see was outbound connections to legitimate Microsoft Teams servers. The attackers were on the victim network for between one and two months.

Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control (C2) server. To our knowledge this is the first time TURN relay infrastructure has been abused this way in the wild. It is relatively unusual to see ransomware attackers using their own custom tools, and it is particularly unusual to see them using a custom tool as sophisticated as Backdoor.Turn.

The attackers also use the Bring Your Own Vulnerable Driver (BYOVD) technique for defense evasion, including a novel attack exploiting the Havoc Process Terminator, in which they use a custom technique to leverage Huawei’s HWAuidoOs2Ec.sys. This driver wasn’t known to be exploited like this in the wild prior to this attack, though its vulnerable status was documented by researchers at Huntress in March 2026, after this attack happened.

Attack chain

It appears that the attackers gained access to the victim network by exploiting a vulnerability in either an SQL or MSSQL server. However, what vulnerability this may have been is not known. It is possible that the attackers may have purchased access from an access broker. The activity began on the victim network in December 2025. Once on the network, they downloaded a .zip archive. This archive contained, among other things, a legitimate VirtualBox/DbgView executable with a malicious DLL that is meant to be side loaded. When executed, the malicious vboxrt.dll downloads code from a list of servers, and that malicious code is used for numerous things, such as securing access, reconnaissance, and evading detection (See Figure 1). 

To maintain persistence and resilience, the threat actor performed specific system configurations, including:

• Using LimitBlankPassword to allow for easy access to the compromised machines
• Performing user/group addition to create another way to access the machines
• Modifying firewall rules to facilitate remote access and ensure C&C communication remains unhindered.

The attackers also weaponized DLL hijacking against the VirtualBox application. By forcing a legitimate, signed executable to load their malicious DLL, they bypassed security monitoring and achieved code execution with the high privileges of the trusted VirtualBox process.

The group also employed a sophisticated Bring Your Own Vulnerable Driver (BYOVD) strategy for defense evasion. They exploited known vulnerabilities in legitimate, signed drivers to gain kernel-level access, which was then used to terminate security processes. Key examples observed include:

1. Novel “Havoc Process Terminator”: A custom technique leveraging Huawei’s HWAuidoOs2Ec.sys. This suggests specialized effort in developing novel evasion methods.
2. CVE-2023-52271: Exploitation of Topaz Antifraud’s wsftprm.sys.
3. CVE-2025-61155: Exploitation of Tower of Fantasy’s Gamedriverx64.sys.
4. CVE-2025-1055:  K7 Security Anti-Malware’s K7RKScan.sys

The attackers also use the Abyss Worker driver for defense evasion, which doesn’t really fit the definition of BYOVD, as it is a custom-built malicious driver that masquerades as a legitimate Palo Alto driver. It is relatively unusual to see attackers use drivers like this in attacks; most stick to the traditional BYOVD approach of leveraging weaknesses in legitimate drivers.

Following reconnaissance and defense evasion, the group deployed the DragonForce ransomware payload to exfiltrate data and encrypt the victim machines. 

Backdoor.Turn

The most noteworthy tool used in this operation is Backdoor.Turn, a new Go-based remote access backdoor, injected into the legitimate DbgView64.exe process for stealth. It is installed on victim machines after the ransomware is deployed, indicating that the attackers may be using it for persistence, to facilitate a later intrusion, or to resell access to other malicious actors.  

The mechanism is inspired by the Ghost Calls technique, which was presented at Black Hat in 2025, focusing on super stealthy C&C communication that is difficult for network defenses to profile.

The backdoor requests a visitor token from the Microsoft Teams/Skype backend, uses that token to interact with Teams-associated infrastructure (TURN relay), and then establishes outbound connectivity. It obtains a Teams visitor (anonymous) authentication token backed by Skype identity services. It then uses a legitimate Microsoft server as the TURN relay server during connection setup. After relay-assisted setup, the malware establishes a direct QUIC session to the C&C server, which is malicious. 

This is the first known case of a malware or group using this specific technique.

The backdoor has a range of capabilities, including:

• Command execution and process creation.
• Network scanning (including capturing TLS certificate and web page titles for further reconnaissance).
• LDAP/AD search for comprehensive domain mapping.
• Credential-based lateral movement within the network.
• Browser credential theft from compromised endpoints.

Conclusion

The attackers in this campaign use exceptionally sophisticated cyber tradecraft. The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors. 

The exploitation of a driver that was not at the time known to be vulnerable (Havoc Process Terminator) also demonstrates a strong level of expertise and sophistication on behalf of the attackers. 

DragonForce, which has been active since at least June 2023 and is developed by a group Symantec tracks as Hackledorb, has transitioned from a standard ransomware-as-a-service (RaaS) model to a highly organized, formalized cartel structure. This move suggests elevated organizational maturity, significant resource allocation, and a strategic focus on high-impact, targeted campaigns. The operational timeline reveals a pattern of continuous capability development, with the adoption of highly advanced techniques becoming a hallmark of their post-2025 activity. The deployment of Backdoor.Turn, combined with their multi-vector BYOVD evasion, marks them as one of the most capable and persistent ransomware groups operating today.

Symantec and Carbon Black Threat Hunter Team researcher Thibaut Passilly will present on this topic at the Area41 Cybersecurity Conference in Zurich, Switzerland, on June 18, 2026.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise (IOCs)

File indicators

82b37a92589dfd4d67ca87eb9e52ac8e682e8e60d2211f59074cd5ccc693013b – Downloader

821da79d727351dd67ce5df7950e9a3de6647a3cf474bb3a093f67507fed92a6 – Backdoor.Turn

b6628d201c2a68d2a3de2a87de7a5acfe21b101a97928e1c8d5c82102d967383 – GameDriverx64 vulnerable driver

ce66b8221446c9b6d83f0ce6382f430e519601641e5daaaf1ca7a8a8806cb0b0 – Shellcode containing Backdoor.Turn

f174c19902523dcf005fa044b6598403a5e5c0a5982398d1bc0dcc5ec1cd351b – Sideloaded DLL mimicking VirtualBox

142bac0e2148e0d47891b6cd7311195c4acbe33b700fad54a201c52a2bc46219 – ADExplore
8395b621bb4415090f232c59fc41d24ea41a519b58eabe512f3ae7d2fdf049a3 – ADExplore

9335f61f8ad276d94455c5b6876fea48152c3cea759f2598c8108ee461fa5759 – Malicious ZIP archive

cd078957167e1af4de39aecdb981cd14156fa81d5a9c6ac51e74ae5b6199a12a – Malicious ZIP archive

b16e217cdca19e00c1b68bdfb28ead53b20adeabd6edcd91542f9fbf48942877 – K7 vulnerable driver

d20a3c928761fe00ac522eeb474612b5804cd9108453ea8591106d5d4428428e - sideloaded DLL mimicking VirtualBox

8284c8676cc22c4b2e66826ac16986da7ddecba1f2776b16771be17bfdc45dc2 – ABYSSWORKER driver

65ab49119c845801f29a57e8aa177146b2ffbd289d4278109b146f933380f951 – ABYSSWORKER driver

6bbf10bcbef7ac5102b54c81137859891a3802dbacd888be90f990d50e18b0b4 – AV killer

252a8bb2eb9c96c5e6cc7cab822e2ed0d508032f9350351221781684e86c03ab – Topaz Antifraud vulnerable driver

8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531 – Havoc Process Terminator

e45b18c93d187aac5c4486f57483bc87580e15def82a312bfb377ff16eb96b22 – DragonForce ransomware

087f002df0a02c8c74f3ba5cd99cf29fb9efff38bf57b3d808e34a5dd4200dd2 – Tower of Fantasy vulnerable driver

048e18416177de2ead251abdf4d89837f6807c6aba4d5b1debe49adfdecbf05c – Backdoor.Turn

6f9fbe29f8cc2788e2bc9d631e0eea2a8e9837076837b55838005a0e654f0a9e – AV killer

d0da2832ae1e13a98f7ce7e33a66c1b0d9797b81f69ece134e4462ea55ac923e – Netscan

aea26980059ef2ad11e99556a4edfa1f8ec769fa9f06aa573b81bedf319954b5 – Netscan

Network indicators

projetosmecanicos.com[.]br – C&C for downloading additional tools

socialbizsolutions[.]com - C&C for downloading additional tools

professionalhomebasedbusiness[.]com - C&C for downloading additional tools

safefire[.]jo - C&C for downloading additional tools

glanz-gmbh[.]de - C&C for downloading additional tools

turnkeyaiagents[.]com - C&C for downloading additional tools

comunidadesparentais.com[.]br - C&C for downloading additional tools

mysimerp[.]net - C&C for downloading additional tools

http://192.36.27[.]51/TechSupV18Fix3.zip - Malicious zip archive download URL

62.164.177[.]25 - Backdoor.Turn C&C