DRAGONFORCE ransomware group has deployed a new backdoor that uses Microsoft Teams relay servers for command and control, allowing them to hide malicious traffic inside legitimate Teams communications and affect organisations globally.
The approach was highlighted in recent analysis by SecurityWeek detailing the abuse of Teams relay servers.
Backdoor.Turn is a Go-based remote access trojan discovered by Symantec and Carbon Black researchers as detailed in the threat intelligence report.
It abuses Teams infrastructure to send and receive commands, masking data as standard Teams traffic.
The malware also leverages a known vulnerability in a Huawei driver to gain privileges and create persistent local accounts.
Once inside, the backdoor can execute arbitrary shell commands, exfiltrate files, and later trigger DragonForce ransomware to encrypt victim data.
The use of trusted cloud services reduces detection by conventional network monitoring tools.
Infosecurity Magazine noted this behaviour in its coverage of the DragonForce intrusion.
The tactic was observed in a December 2025 intrusion against a major US services firm where attackers remained undetected for roughly two months.
DragonForce is linked to Malaysia-based operations and has previously used custom tools to evade defences.
Security researchers note the growing trend of ransomware actors abusing legitimate collaboration platforms for stealthy C2.
Organisations should enforce strict application control policies that limit Teams usage to approved instances and inspect outbound HTTPS traffic for anomalous patterns.
Enabling detailed logging of Teams client connections and correlating with identity anomalies can help spot malicious relay usage.
Regular review of conditional access policies further limits the risk of credential abuse.
Patching the Huawei driver vulnerability, removing unauthorized local accounts, and implementing multi-factor authentication for privileged accounts reduce the attack surface.
Security teams are also advised to review PowerShell and script execution policies to block the Go-based RAT from establishing persistence.
Continuous monitoring for unusual process creation and network connections to Teams endpoints completes a layered defence.