Backdoor.Turn Got the Headlines. convoC2 Is the Version Anyone Can Run. The Technique Is Now in the Fraud Tier.
- Patrick Duggan
- 4 hours ago
- 4 min read
Yesterday we published on macOS.Gaslight — North Korea's malware that gaslights AI analysts. Earlier this week we covered Backdoor.Turn — North Korea's custom Rust backdoor that hides C2 traffic inside Microsoft Teams TURN relay infrastructure, achieving dwell times of two months because the IPs it uses are Microsoft's own and will never appear on a threat feed as malicious.
The framing in every piece of coverage, including ours, was nation-state. DPRK. Sophisticated. Novel. The kind of thing that requires a dedicated Rust development team and operational resources.
Today, following the follower graph on a CVE-2026-24061 proof-of-concept publisher, we found a DACH-region fraud operator with a fork of convoC2 in their toolkit.
convoC2 is a Go-based command-and-control framework that uses Microsoft Teams relay infrastructure to tunnel C2 traffic. It is open source. It is on GitHub. It requires no Rust development team. It requires a GitHub account and a Teams tenant.
The technique is the same. The IPs are the same. The evasion capability is identical.
What convoC2 Is
convoC2 implements C2 communication by routing traffic through Microsoft Teams' TURN (Traversal Using Relays around NAT) relay infrastructure — the same relay layer Teams uses for video calls and screen sharing in restricted network environments. The Go implementation is straightforward: obtain a Teams visitor token, establish a TURN relay session, tunnel commands and responses through the relay.
The result is C2 traffic that looks like Teams traffic because it is Teams traffic. Source IPs are Microsoft's relay servers. Protocol is QUIC. The session is encrypted end-to-end.
Every network security tool that inspects traffic for C2 indicators relies on reputation of destination IPs, anomalous protocol signatures, or known-bad domains. convoC2 bypasses all three simultaneously. You cannot block Microsoft Teams relay IPs without breaking Teams for everyone.
The Operator Profile
The account we traced convoC2 through is not a nation-state actor. Based on the full repo set: DACH-region (Austrian/German marketplace scrapers for Willhaben and Inseriate), fake shop infrastructure, token generation tools for fraud automation, Discord account generators, 2Captcha bypass tooling. A fraud operator in the German-speaking underground.
This account also has iOS exploit forks (DarkSword webkit chain, A12/A13 SecureROM), Android ADB bypass PoCs, and credential dumpers alongside their fraud tools. Mobile exploit capability plus C2 framework plus fraud automation is a specific combination: someone who compromises devices for credential and session theft at scale.
The Discord listed in their profile is called fakeshops.
What Got Missed in the Backdoor.Turn Coverage
Every Backdoor.Turn writeup correctly identified the technique as significant. The attribution to DPRK was well-sourced. The dwell time of two months was alarming. The conclusion was: this is a sophisticated nation-state capability.
What the coverage missed is that convoC2 existed before Backdoor.Turn was disclosed. The open-source framework predates the DPRK bespoke implementation. North Korea built a custom production-grade version of something that was already publicly available as a Go library.
The correct threat model is not "watch for DPRK using Teams C2." The correct threat model is "Teams relay C2 is now a commodity evasion technique available to any actor who can fork a GitHub repo."
Defenders who were briefed on Backdoor.Turn and updated their detection guidance to watch for DPRK-specific indicators are watching for the wrong thing. The technique does not belong to DPRK. DPRK published the most visible use case. The technique belongs to anyone who can run convoC2.
The Commoditization Arc
This pattern repeats. A technique appears in a nation-state campaign and gets extensive coverage as an advanced capability. Researchers document it. Vendors write detections for the specific attributed actor's tooling. Meanwhile an open-source or crimeware-tier implementation of the same technique has existed for months, running under the radar because it doesn't come with a flag-bearing attribution.
AsyncRAT C2 on Cloudflare Workers (Pattern 49). Blockchain-canister C2 on ICP (Megalodon). Teams relay C2 (Backdoor.Turn/convoC2). The same progression: open-source technique, nation-state production implementation gets headlines, commodity adoption follows quietly.
The fraud operator we traced convoC2 through is ahead of most corporate detection stacks. Their traffic looks like Teams. Their IPs are Microsoft's. Their session is encrypted. The Backdoor.Turn writeups gave them nothing to update because they were already running.
Detection
The detection surface for Teams relay C2 is narrow by design. What works:
Behavioral anomaly on Teams processes — legitimate Teams clients initiate TURN relay sessions from the Teams application. Malware or tools like convoC2 initiate them from non-Teams processes. Process-level telemetry that correlates TURN relay connections to process origin can flag this.
Teams visitor token issuance from non-Teams applications — the relay session requires obtaining a visitor token from Microsoft identity services. This call is visible in endpoint telemetry if you are capturing HTTPS requests at the process level.
Network baseline deviation — if a workstation suddenly starts maintaining persistent QUIC sessions to Microsoft TURN relay IPs outside normal Teams usage hours, that's anomalous.
None of these detections work at the network perimeter. They all require endpoint visibility. Organizations that rely on network-tier C2 detection and have limited endpoint telemetry have no detection surface for this technique regardless of whether the actor is DPRK or a fraud operator in Vienna.
The threat feed this post is built on
1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.
Comments