Symantec researchers disclosed that DragonForce ransomware deployed a custom backdoor — Backdoor.Turn — in a December 2025 attack against a major U.S. services company, using Microsoft Teams’ TURN relay infrastructure to route command-and-control communications so that C2 traffic appears as legitimate Teams network activity to defenders. The technique makes the backdoor’s communication channel structurally indistinguishable from normal enterprise Teams usage at the network layer.
How Backdoor.Turn Hides Inside Microsoft Teams’ Own Relay Infrastructure
Backdoor.Turn is a custom Go-language implant. Its defining characteristic is its C2 channel: the backdoor obtains anonymous Microsoft Teams visitor tokens and uses them to connect to Microsoft’s legitimate TURN (Traversal Using Relays around NAT) relay servers during the standard Teams connection setup process. All subsequent C2 communications transit through Teams’ relay infrastructure as what appears, to network security tools, to be Teams protocol traffic.
The significance of this approach is that it weaponizes an allowlisted enterprise service. Organizations cannot block Microsoft’s TURN relay endpoints without breaking legitimate Teams functionality for their users. Traditional network-based C2 detection — destination blocking, protocol anomaly detection, beaconing analysis against known malicious IP ranges — produces no signal when C2 traffic routes through Microsoft’s own infrastructure.
Four-CVE BYOVD Privilege Escalation Chain and the Custom ABYSSWORKER Driver
Before deploying Backdoor.Turn, DragonForce achieved privilege escalation through a Bring-Your-Own-Vulnerable-Driver attack chain exploiting four separate third-party vendor drivers. The confirmed drivers are: Huawei HWAuidoOs2Ec.sys; Topaz wsftprm.sys, exploiting CVE-2023-52271; Tower of Fantasy GameDriverx64.sys, exploiting CVE-2025-61155; and K7 Security K7RKScan.sys, exploiting CVE-2025-1055. A fifth custom driver — ABYSSWORKER — was also deployed, disguised as Palo Alto software.
The breadth of the BYOVD chain illustrates that DragonForce is assembling privilege escalation toolkits from multiple vendor driver vulnerabilities rather than relying on a single technique. Each individual driver vendor is unlikely to anticipate that their software will appear as a component in a ransomware group’s privilege escalation sequence — a fragmentation that makes coordinated mitigation difficult.
DLL Sideloading Into DbgView64.exe and Backdoor.Turn’s Full Capability Set
With elevated privileges obtained through the BYOVD chain, Backdoor.Turn was deployed by injecting it into a legitimate DbgView64.exe process via DLL sideloading — allowing the backdoor to run under the cover of a trusted debugging application.
Once active, Backdoor.Turn’s documented capabilities include command execution, network scanning, LDAP and Active Directory enumeration, TLS certificate inspection, browser credential theft, and website reconnaissance. The combination of Active Directory enumeration and credential theft provides the reconnaissance and access necessary to expand laterally within a compromised enterprise environment prior to ransomware deployment.
Why Teams TURN Relay Abuse Is a Significant Advance in C2 Evasion
The Microsoft Teams TURN relay technique is notable because it exploits a design feature of a widely deployed enterprise collaboration platform rather than any software vulnerability. Teams’ TURN relay is used by Microsoft’s infrastructure to establish peer connections across NAT boundaries — its use for C2 is a legitimate-traffic laundering technique that has no technical mitigation short of blocking Teams itself.
This positions Backdoor.Turn in a category of C2 mechanisms that abuse cloud service infrastructure specifically because those services are allowlisted and monitored less aggressively than unknown external endpoints. Network defenders relying on IP-based blocklists, certificate pinning, or endpoint destination analysis will not detect C2 traffic that transits through Microsoft’s relay servers.
The initial access vector for the December 2025 attack was described by Symantec as likely through a vulnerable SQL or MSSQL server — a conventional entry point followed by a highly sophisticated post-exploitation and evasion chain. Organizations with Microsoft Teams deployments cannot block the C2 channel through standard network controls and should focus detection on the privilege escalation chain’s BYOVD components and on anomalous LDAP enumeration activity as earlier-stage indicators of this attack pattern.
