MalwareRansomwareUsed by 3 actorsExploits 3 CVEs

Backdoor.Turn

Backdoor.Turn is a custom Go-based backdoor/RAT used by DragonForce ransomware operators. It was observed in an intrusion against a major U.S. services company and is described as hiding command-and-control traffic inside trusted Microsoft Teams relay infrastructure. The malware obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to establish connectivity, and then runs a QUIC session to the attackers’ real command-and-control server, causing defenders to primarily see outbound traffic to legitimate Microsoft Teams servers. Multiple sources in the content describe this as the first known in-the-wild or publicly documented abuse of Microsoft Teams TURN relay infrastructure for covert malware C2, similar to the previously described Ghost Calls concept.

The malware is associated with the DragonForce ransomware operation, which has been active since at least 2023 and has been linked in the reporting to Scattered Spider. In the reported campaign, attackers likely gained initial access through an unknown SQL or MSSQL server vulnerability or via purchased access from an initial access broker. During the intrusion they used DLL sideloading, persistence mechanisms, fake or additional user accounts, Windows security and firewall changes, reconnaissance, credential theft, lateral movement, and bring-your-own-vulnerable-driver techniques to disable security tools. Drivers mentioned in the reporting include Huawei HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys, Tower of Fantasy GameDriverx64.sys, K7 Security K7RKScan.sys, and the ABYSSWORKER malicious driver masquerading as a Palo Alto Networks component.

Backdoor.Turn was reported as being injected into the legitimate DbgView64.exe process after DragonForce ransomware deployment, which researchers assessed may indicate an attempt to preserve covert access for future re-entry or resale. Reported capabilities include command execution, process creation, network scanning, LDAP and Active Directory enumeration, collection of TLS certificate information, lateral movement using stolen credentials, and browser credential theft. The victim sector directly mentioned in the content is a U.S. services firm.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

3 CVES

CVE-2025-61155Arbitrary Process Termination in Tower of Fantasy GameDriverX64.sysExploited in the wild

The drivers involved included Huawei’s HWAuidoOs2Ec.sys, Topaz Antifraud’s wsftprm.sys (CVE-2023-52271), Tower of Fantasy’s GameDriverx64.sys (CVE-2025-61155), and K7 Security’s K7RKScan.sys (CVE-2025-1055).

via help net securityhelpnetsecurity.com

CVE-2025-1055Improper Authorization in K7 Security K7RKScan.sys IOCTL HandlerExploited in the wild

via help net securityhelpnetsecurity.com

CVE-2023-52271Arbitrary PPL Process Termination in Topaz Antifraud wsftprm.sysExploited in the wild

via help net securityhelpnetsecurity.com

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Scattered Spider

Операторы вымогательской группировки DragonForce начали использовать необычную тактику для маскировки своей активности... в одной из недавних атак хакеры использовали кастомный бэкдор Backdoor.Turn, который маскирует обмен данными с управляющим сервером под обычный трафик Microsoft Teams.

via xakepxakep.ru

DragonForce

via xakepxakep.ru

Hackledorb

Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure.

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

23 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1078Valid AccountsEvidence2

The malicious payload can execute commands, scan networks, map Active Directory, move laterally with stolen credentials, and pull passwords from browsers.

T1190Exploit Public-Facing ApplicationEvidence1

The custom backdoor was used in an attack on a US services firm, which was likely compromised through an unknown vulnerability in an SQL or MSSQL server.

Execution

2 techniques

T1059Command and Scripting InterpreterEvidence1

The backdoor enables threat actors to execute commands, create processes...

T1569.002Service ExecutionEvidence1

The backdoor enables threat actors to execute commands, create processes...

Persistence

1 technique

T1078Valid AccountsEvidence2

The malicious payload can execute commands, scan networks, map Active Directory, move laterally with stolen credentials, and pull passwords from browsers.

Privilege Escalation

3 techniques

T1055Process InjectionEvidence4

Backdoor.Turn был внедрен в процесс DbgView64.exe

T1068Exploitation for Privilege EscalationEvidence1

The observed attack against a U.S. services company in December 2025 involved exploiting an SQL server flaw, followed by privilege escalation using multiple vulnerable drivers (BYOVD) to disable security tools.

T1078Valid AccountsEvidence2

The malicious payload can execute commands, scan networks, map Active Directory, move laterally with stolen credentials, and pull passwords from browsers.

Stealth

3 techniques

T1036MasqueradingEvidence2

маскирует обмен данными с управляющим сервером под обычный трафик Microsoft Teams

T1055Process InjectionEvidence4

Backdoor.Turn был внедрен в процесс DbgView64.exe

T1078Valid AccountsEvidence2

The malicious payload can execute commands, scan networks, map Active Directory, move laterally with stolen credentials, and pull passwords from browsers.

Credential Access

2 techniques

T1555Credentials from Password StoresEvidence6

кражу учетных данных из браузеров

T1649Steal or Forge Authentication CertificatesEvidence1

сбор TLS-сертификатов

Discovery

5 techniques

T1007System Service DiscoveryEvidence1

выполнение команд, запуск процессов

T1018Remote System DiscoveryEvidence3

поиск объектов LDAP и Active Directory

T1046Network Service DiscoveryEvidence4

Функциональность нового бэкдора включает ... сканирование сети

T1082System Information DiscoveryEvidence1

When executed, the malicious vboxrt.dll downloads code from a list of servers, and that malicious code is used for numerous things, such as securing access, reconnaissance, and evading detection.

T1482Domain Trust DiscoveryEvidence2

The malicious payload can execute commands, scan networks, map Active Directory, move laterally with stolen credentials, and pull passwords from browsers.

Lateral Movement

1 technique

T1570Lateral Tool TransferEvidence1

The malicious payload can execute commands, scan networks, map Active Directory, move laterally with stolen credentials, and pull passwords from browsers.

Command and Control

6 techniques

T1071Application Layer ProtocolEvidence8

кастомный бэкдор Backdoor.Turn, который маскирует обмен данными с управляющим сервером под обычный трафик Microsoft Teams

T1071.001Web ProtocolsEvidence1

Tracked as Backdoor.Turn, the newly identified malware is written in Go and hides its C&C server communication as legitimate Microsoft Teams traffic in a sophisticated manner. “Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real [C&C] server,”

T1090ProxyEvidence2

uses a legitimate Microsoft TURN relay to set up the connection

T1090.002External ProxyEvidence3

Backdoor.Turn first obtains an anonymous Microsoft Teams visitor token, then uses Microsoft’s TURN relay infrastructure to route traffic through legitimate Microsoft servers before connecting to the attackers’ command-and-control server.

T1090.003Multi-hop ProxyEvidence1

“Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control server.”

T1572Protocol TunnelingEvidence2

использует протокол TURN (Traversal Using Relays around NAT)... использует легитимный TURN-релей для установки соединения, а затем открывает QUIC-сессию с настоящим управляющим сервером атакующих

Impact

1 technique

T1486Data Encrypted for ImpactEvidence1

The Backdoor.Turn RAT was later deployed for persistence and data exfiltration before the final ransomware encryption.

Other

1 technique

T1562Impair DefensesEvidence1

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

xakepNews

Jun 19, 2026

Вымогатели используют серверы Microsoft Teams для сокрытия трафика - Хакер

Custom Go-based backdoor used by DragonForce that tunnels C2 communications through Microsoft Teams TURN infrastructure and QUIC sessions to disguise malicious traffic as legitimate Teams traffic. It supports command execution, process launching, network scanning, LDAP and Active Directory discovery, TLS certificate collection, and browser credential theft, likely to enable persistence and future re-entry after ransomware deployment.

the hacker newsNews

Jun 18, 2026

DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

A custom Go-based remote access trojan used to hide C2 traffic via Microsoft Teams TURN relay infrastructure. It obtains anonymous Teams visitor tokens, uses legitimate Microsoft TURN relays for connection setup, and then establishes a QUIC session to the real C2 server. It supports command execution, process creation, network scanning, LDAP and Active Directory search, credential-based lateral movement, and browser credential theft.

hackreadNews

Jun 18, 2026

DragonForce Ransomware Abused Microsoft Teams to Hide Malware Activity

A Go-based backdoor that obtains an anonymous Microsoft Teams visitor token and abuses Microsoft TURN relay infrastructure to disguise command-and-control traffic as legitimate Teams communications. It may also allow attackers to retain access, steal browser credentials, or resell access to the compromised network.

scworldNews

Jun 17, 2026

Attackers drop DragonForce ransomware leveraging MS Teams relay systems | news | SC Media

A custom Go-based backdoor used to hide command-and-control traffic inside Microsoft Teams TURN relay infrastructure, making malicious communications appear as legitimate Teams traffic.

+7 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities3

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping23

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.