The DragonForce ransomware group has deployed a novel Go-based backdoor called Backdoor.Turn that abuses Microsoft Teams relay servers for its command-and-control communications. This malware obtains anonymous Teams visitor tokens and uses Microsoft’s TURN relay infrastructure to establish QUIC sessions to attacker-controlled C&C servers, effectively hiding malicious traffic as legitimate Teams traffic. The attack chain started with likely exploitation of an SQL or MSSQL server vulnerability, followed by DLL sideloading to execute additional malware, kernel-level access via exploitation of signed driver vulnerabilities, and deployment of ransomware for encryption and data exfiltration. Backdoor.Turn maintains persistence post-ransomware deployment and allows attackers to execute commands, perform network reconnaissance, move laterally using stolen credentials, and exfiltrate browser-stored credentials. This represents the first known abuse of Microsoft Teams TURN relay infrastructure by malware and demonstrates highly sophisticated attacker tradecraft.

The impact includes unauthorized persistent access to victim networks, execution of arbitrary commands, network reconnaissance, lateral movement, credential theft, and data exfiltration. The use of legitimate Microsoft Teams infrastructure for C&C traffic complicates detection and response efforts. Victims suffer from ransomware encryption and potential data loss or exposure. The attack chain involves kernel-level access, which can disable security controls and increase the difficulty of remediation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this attack abuses legitimate Microsoft Teams infrastructure rather than exploiting a vulnerability in Teams itself, no direct patch for Teams is indicated. Organizations should focus on securing initial entry points such as SQL/MSSQL servers, monitor for DLL sideloading and kernel-level exploits, and employ detection techniques for anomalous use of Microsoft Teams tokens or unusual network traffic patterns. Incident response should include credential resets and thorough network investigation. Vendor-managed cloud services like Microsoft Teams are typically patched server-side by Microsoft; however, this threat leverages legitimate service features rather than a vulnerability in the service.