In a significant development, threat actors linked to the DragonForce ransomware have utilized a custom remote access trojan (RAT) named Backdoor.Turn to obscure their command-and-control (C2) operations within Microsoft Teams infrastructure. Security firms Symantec and Carbon Black, both owned by Broadcom, reported that this tactic was deployed against a prominent U.S. services firm, whose identity remains undisclosed.
The attackers reportedly gained initial access to the network through a vulnerability in an SQL or MS-SQL server, although the specific flaw has not been identified. Initial malicious activities commenced in December 2025, with the attackers executing a PowerShell command to introduce a ZIP archive disguised as a tech support hotfix. This ZIP file initiated a DLL side-loading attack, enabling reconnaissance and persistence on the victim's network while silencing security measures through a compromised driver.
The Backdoor.Turn RAT operates by obtaining an anonymous Teams visitor token from Microsoft’s identity services, establishing a connection via a legitimate Microsoft TURN relay. This marks the first documented case of threat actors exploiting Microsoft’s TURN relay infrastructure for malicious purposes. The attack has been linked to broader malvertising efforts targeting individuals in the U.S. searching for tax-related information.