DragonForce Hid C2 Traffic Inside Microsoft Teams for Two Months. Nobody Noticed.
- Patrick Duggan
- 2 minutes ago
- 3 min read
We covered Kongtuke pivoting to Microsoft Teams as a C2 channel in May. That was the warning. Backdoor.Turn is what the warning was for.
Symantec disclosed Backdoor.Turn on June 16, 2026. It is a custom Go-based backdoor built by the DragonForce ransomware group. Its defining characteristic is that it hides command-and-control traffic inside Microsoft Teams relay infrastructure — specifically the TURN (Traversal Using Relays around NAT) protocol that Teams uses for connectivity in restricted network environments.
This is the first confirmed malware to exploit this channel. Here is why it matters.
How It Works
Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft's Skype-backed identity services. It uses a legitimate Microsoft TURN relay to establish the connection. It then runs a QUIC session to the attacker's real C2 server through that relay.
From the perspective of every network security tool currently deployed: the traffic looks like Microsoft Teams. The source IPs are legitimate Microsoft infrastructure. They will never appear in a threat intelligence feed as malicious, because they are not malicious. They are Microsoft's own relay servers.
This is the logical endpoint of the decentralized C2 pattern we have been documenting since Pattern 49 — AsyncRAT on Cloudflare Workers, blockchain-canister C2 for Megalodon, EtherRat's ICP canister infrastructure in the Gentleman ransomware chain. Each iteration picks a more trusted, more embedded legitimate service to carry the traffic. Teams is the most embedded legitimate service in enterprise IT. You cannot block Teams relay IPs without breaking Teams for everyone.
The Intrusion Chain
DragonForce entered target environments via an unpatched Microsoft SQL Server vulnerability. From there they spent weeks deploying four Bring Your Own Vulnerable Driver (BYOVD) techniques to kill endpoint detection tools one by one before introducing Backdoor.Turn for persistence and data exfiltration. By the time ransomware deployed, the average dwell time was two months.
579 confirmed victims since June 2023. Active targets include manufacturing, healthcare, retail, and IT sectors through June 2026.
The Detection Problem
The usual approach to C2 detection — block known malicious IPs and domains, alert on suspicious beaconing patterns — does not work here. The IPs are Microsoft. The traffic pattern looks like Teams. The QUIC protocol used for the C2 session is the same protocol Teams uses legitimately.
What does work: behavioral detection on the process spawning Teams network connections from non-Teams processes, anomalous TURN protocol usage outside expected Teams client contexts, BYOVD driver hash detection before Backdoor.Turn is deployed, and SQL Server lateral movement patterns at the entry point.
The entry vector — unpatched SQL Server — is the place to intercept this. By the time Backdoor.Turn is deployed, the attacker has already disabled your EDR.
The Receipt
On May 14 we wrote about Kongtuke pivoting to Teams infrastructure for C2 delivery in an attack that hit OpenAI on the same day. The Teams-as-C2-channel pattern was documented. Backdoor.Turn is the ransomware-grade operationalization of that pattern — more sophisticated, more embedded, longer dwell time.
We indexed Backdoor.Turn as a threat indicator today. The Tuoni C2 framework IOCs — kupaoquan.com, udefined30.domainofhonour40.xyz — are also indexed. Both are in the STIX feed.
The Teams relay C2 infrastructure itself cannot be indexed as malicious because the IPs are Microsoft's. This is by design. The way to defend against it is patching the SQL Server entry points and hunting BYOVD driver activity before the C2 stage is reached.
Sources: Symantec — Backdoor.Turn disclosure — The Hacker News — Security Affairs — 2-month dwell — DugganUSA — Kongtuke/Teams May 14
The threat feed this post is built on
1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.