DRAGONFORCE ransomware operators successfully hid malware within Microsoft Teams for one to two months, using a custom backdoor called Backdoor.Turn to mask their command-and-control traffic. This method involved obtaining a Teams visitor token and routing malicious traffic through legitimate Microsoft relay servers, evading detection. The attack, which exploited a potential SQL or MSSQL server vulnerability, allowed attackers to execute commands, lateral movement, and data theft.
DragonForce, active since 2023, has evolved into a sophisticated cybercrime cartel, employing advanced tactics such as custom-built drivers and the BYOVD (Bring Your Own Vulnerable Driver) technique.