Microsoft Teams Infrastructure Exploited by DragonForce's New Backdoor.Turn Malware

Security researchers at Symantec have uncovered a previously unseen backdoor that disguises malicious communications as legitimate Microsoft Teams traffic, giving attackers a powerful new way to remain hidden inside compromised networks (via Bleeping Computer).

Backdoor.Turn Malware Abuses Microsoft Teams to Target Corporate Users

The malware, dubbed Backdoor.Turn, was discovered during a recent DragonForce ransomware campaign that combined data theft with file encryption. According to researchers at Symantec’s Threat Hunter Team, the backdoor is deployed after the ransomware payload executes, suggesting it may be used to maintain long-term access, support future intrusions, or even resell compromised networks to other threat actors.

What makes Backdoor.Turn particularly concerning is how it communicates. Rather than connecting directly to attacker-controlled infrastructure, the Go-based malware first requests an anonymous visitor token from Microsoft’s Teams and Skype backend services. It then leverages legitimate Teams-associated TURN relay infrastructure to establish outbound connectivity before switching to a direct QUIC session with a malicious command-and-control server.

The technique, inspired by the “Ghost Calls” research presented at Black Hat 2025, effectively masks malicious activity as trusted Microsoft traffic. According to Symantec, this is the first known instance of malware using this specific approach.

Once active, Backdoor.Turn can execute commands, create processes, steal browser credentials, scan networks, perform LDAP and Active Directory searches, and move laterally across enterprise environments using compromised credentials.

Researchers also observed DragonForce exploiting the Havoc Process Terminator driver before it was publicly known to be vulnerable, highlighting the group’s growing technical sophistication.

Active since at least June 2023, DragonForce has evolved beyond a traditional ransomware-as-a-service operation into what researchers describe as a highly organized cyber cartel. The addition of Backdoor.Turn, and its advanced evasion capabilities further cement the group’s reputation as one of the most capable ransomware threats operating today.

Symantec researcher Thibaut Passilly is expected to present additional findings on the campaign at the Area41 Cybersecurity Conference in Zurich on June 18.

In other Teams news, Microsoft has also confirmed that the app will get a Wi-Fi-based location tracking feature, though thankfully, it will remain optional for users. At the same time, the company revealed major performance upgrades for Teams across desktop, web, and mobile, suggesting that Microsoft is still focused on making the app faster and more reliable while expanding its workplace-focused features.