THE DragonForce ransomware group has deployed a sophisticated new backdoor, Backdoor.Turn, which utilizes Microsoft Teams relay servers for command-and-control operations. This malware, tracked by Broadcom's Symantec and Carbon Black threat hunters, is notable for its advanced methodology that disguises malicious traffic as legitimate Teams communication. The backdoor allows attackers to access victim networks, execute commands, persist in systems, and encrypt data using DragonForce ransomware.
This attack exemplifies an increase in cybercriminal sophistication and is linked to a December 2025 breach of a US service firm. Researchers highlight the unusual use of custom tools among ransomware operators, emphasizing a need for heightened security awareness.