Pular para o conteúdo principal
Close
Security

Backdoor.Turn: The Ransomware That Hid Inside Microsoft Teams for 2 Months

Gabriel Ferraresi· CEO | Tech86July 3, 20264 min
securityransomwaredragonforcemicrosoft-teamsturn-relayc2byovd

A ransomware group hid inside Microsoft Teams for 2 months and nobody noticed. Not because Teams was hacked. Because Teams worked exactly as designed. We analyzed the case and the signal is clear: the infrastructure organizations trust most became the perfect hiding spot.

The scale of the problem: 2 months hidden inside Teams

According to Broadcom/Symantec, which documented the case on June 16, 2026, Backdoor.Turn is a custom Go backdoor and the first malware in the wild to abuse Microsoft Teams TURN relay infrastructure for C&C communication. The victim: a large US services company. The DragonForce group remained undetectable for two months — not because of a detection failure, but because the traffic was, by design, indistinguishable from legitimate collaboration.

The paradox is what matters. The guidance that Microsoft itself publishes — whitelist Teams IPs, exempt from TLS inspection, split-tunnel VPN bypass — is exactly what makes the traffic undetectable. Security teams are instructed to trust this traffic. The attacker uses that trust as a hiding spot.

The technique: Backdoor.Turn and TURN relay abuse

The mechanism is what sets Backdoor.Turn apart from conventional C2. According to Broadcom/Symantec, the backdoor obtains an anonymous visitor token from Teams — no account, no meeting. It uses the token to interact with a legitimate Microsoft TURN server during connection setup. Then it establishes a direct QUIC session to the attacker's C2.

For network defenders, the observed traffic is outbound connections to legitimate Microsoft Teams servers. There is no suspicious domain to block. There is no strange certificate to inspect. There is no anomalous payload to detect at the network layer. The traffic is, by design, trusted.

The precedent: Praetorian Ghost Calls and Microsoft's omission

The technique was not born with DragonForce. According to Praetorian, which demonstrated the "Ghost Calls" technique at Black Hat USA 2025, TURN relay abuse for C2 has been known for at least a year. Zoom fixed it in days — it restricted TURN credentials to reach only its own infrastructure. Microsoft did not implement a similar restriction.

Ten months later, DragonForce was the first to use the technique in the wild. It is not a vulnerability. It is abuse of legitimate functionality. The anonymous visitor token and the TURN relay are features, not bugs. That is why there is no CVE. And that is why it is harder to fix: blocking affects legitimate Teams functionality.

The full DragonForce attack chain

The chain is what shows the sophistication of the operation. According to the analysis, initial access was via SQL server in December 2025. Then: DLL sideloading via legitimate DbgView64.exe. Persistence with scheduled tasks, registry run keys, and user creation. Defensive evasion with multi-vector BYOVD.

The vulnerable drivers — Huawei, Topaz, Tower of Fantasy, K7 Security, plus a custom ABYSSWORKER driver masquerading as Palo Alto — terminate security processes at kernel-level. Then: exfiltration, DragonForce ransomware deployment, encryption. Backdoor.Turn was injected after encryption — post-attack persistence or access resale.

BYOVD: killing EDR before the backdoor

The detail that changes everything: the attacker killed EDR first with BYOVD before deploying the backdoor. BYOVD (Bring Your Own Vulnerable Driver) is the technique of loading a legitimate, signed but vulnerable driver to escalate privileges and terminate security processes at kernel-level. Without EDR, the backdoor operates unopposed.

Microsoft maintains the Vulnerable Driver Block List, but it must be enforced, not optional. According to Microsoft itself, the list protects against signed but vulnerable drivers. Without enforcement, every vulnerable driver loaded is a dead EDR.

The category problem: it is not just Teams

The problem is a category problem. It is not just Teams. Any real-time communication platform with TURN relay — Zoom, WebEx, Google Meet — is potentially vulnerable to the same technique. The entire category of "trusted collaboration traffic" is compromised.

If your detection strategy is "this traffic goes to Microsoft, so it is safe," you have a blind spot. And the blind spot is not just Microsoft's — it is every collaboration platform that uses TURN relay.

The defense: endpoint detection, not network

The defense is endpoint detection, not network detection. Process behavior: injection into DbgView64.exe, anomalous QUIC from non-standard processes. Monitor Event ID 7045 — new kernel driver registration. The Microsoft Vulnerable Driver Block List must be enforced. Zero Trust: verify behavior, not platform.

Traffic going to Microsoft is not automatically safe. Traffic going to Zoom is not automatically safe. The platform is not the trust signal — behavior is.

Conclusion: trusted infrastructure became the perfect hiding spot

We repeat: the infrastructure organizations trust most became the perfect hiding spot. Backdoor.Turn did not hack Teams — it used Teams as designed. And the attacker killed EDR first with BYOVD before deploying the backdoor, ensuring nothing would stand in the way.

The defense is not to block Teams. The defense is to detect behavior, not platform. Monitor process, not just network. Enforce the Vulnerable Driver Block List. Apply Zero Trust to collaboration traffic. At Tech86, we help companies build exactly this kind of detection — before trusted traffic becomes the command and control channel of the next attack.

Need expert guidance?

Schedule a consultation with our specialists.

Incident Response and Endpoint Security

Frequently Asked Questions

According to Broadcom/Symantec, Backdoor.Turn is a custom Go backdoor documented on June 16, 2026. It is the first malware in the wild to abuse Microsoft Teams TURN relay infrastructure for C2 communication. It obtains an anonymous visitor token from Teams (no account, no meeting), uses the token to interact with a legitimate Microsoft TURN server during connection setup, and then establishes a direct QUIC session to the attacker's C2. For network defenders, the observed traffic is outbound connections to legitimate Microsoft Teams servers.

It is not a vulnerability — it is abuse of legitimate functionality. The anonymous visitor token and the TURN relay are features, not bugs. That is why there is no CVE. And that is why it is harder to fix: blocking affects legitimate Teams functionality. The guidance that Microsoft itself publishes (whitelist Teams IPs, exempt from TLS inspection, split-tunnel VPN bypass) is what makes the traffic undetectable. Security teams are instructed to trust this traffic.

BYOVD (Bring Your Own Vulnerable Driver) is the technique of loading a legitimate, signed but vulnerable driver to escalate privileges and terminate security processes at kernel-level. According to the DragonForce chain analysis, the attacker used multi-vector BYOVD: Huawei, Topaz, Tower of Fantasy, K7 Security drivers, plus a custom ABYSSWORKER driver masquerading as Palo Alto. The vulnerable drivers terminate EDR processes at kernel-level before the backdoor is deployed. The Microsoft Vulnerable Driver Block List must be enforced to mitigate.

Detection must happen at the endpoint, not on the network. According to the analysis, the observed traffic is outbound connections to legitimate Microsoft Teams servers — indistinguishable from legitimate traffic at the network layer. The defense is to monitor process behavior: injection into DbgView64.exe, anomalous QUIC sessions from non-standard processes, and new kernel driver registration (Event ID 7045). Zero Trust applied to collaboration traffic: verify behavior, not platform.

It is not just Teams. Any real-time communication platform with TURN relay is potentially vulnerable — Zoom, WebEx, Google Meet. According to Praetorian, which demonstrated the Ghost Calls technique at Black Hat USA 2025, the entire category of trusted collaboration traffic is compromised. Zoom fixed it in days by restricting TURN credentials to reach only its own infrastructure. Microsoft did not implement a similar restriction. Ten months later, DragonForce was the first to use it in the wild.

Blog — Get in Touch

Have a question about our articles or services? Our team is ready to help.

Schedule a Meeting

Book a time slot.

Schedule Now

Email

Send us a message.

[email protected]

WhatsApp

Quick conversation.

Address

Avenida Paulista, 1636 - São Paulo - SP - 01310-200

Tech86 Specialist

Online now

Hello! How can we help scale your business today?

Tech86 Engineering

We Value Your Privacy

We use cookies and similar technologies to optimize your experience, analyze site traffic, and personalize content. By clicking "Accept All", you agree to the use of all cookies. Read our Privacy Policy.