DragonForce Ransomware Group Abuses Microsoft Teams to Conceal Malicious Traffic in US Firm Breach
Cybercriminals tied to the DragonForce ransomware group compromised a US-based services firm in late 2025, leveraging a custom backdoor to hide their command-and-control (C2) traffic within Microsoft Teams’ relay infrastructure. Researchers from Broadcom’s Symantec and Carbon Black identified the attack, marking the first known instance of malware abusing Microsoft’s TURN relay to evade detection.
The Attack: A Multi-Stage Intrusion
The threat actors gained initial access in December 2025, likely through an unpatched SQL/MSSQL vulnerability or via an initial access broker. Once inside, they employed DLL sideloading, abusing a legitimate VirtualBox executable to load malicious code and bypass security tools.
Over one to two months, the attackers:
- Modified firewall rules and system settings to maintain persistence.
- Disabled security defenses using bring-your-own-vulnerable-driver (BYOVD) techniques, exploiting flaws in drivers from Huawei (HWAudioOs2Ec.sys), Topaz Antifraud (CVE-2023-52271), Tower of Fantasy (CVE-2025-61155), and K7 Security Anti-Malware (CVE-2025-1055).
- Deployed Abyss Worker, a malicious driver disguised as a Palo Alto Networks security component.
- Used Havoc Process Terminator to further evade detection.
The final phase involved data exfiltration and DragonForce ransomware deployment, along with the installation of Backdoor.Turn, a Go-based backdoor designed to blend C2 traffic with legitimate Microsoft Teams communications. By routing malicious traffic through Microsoft’s TURN relay servers, the attackers made their activity appear as routine business traffic, bypassing traditional security filters.
A Shift in Ransomware Tactics
Symantec and Carbon Black researchers described DragonForce’s evolution from a ransomware-as-a-service (RaaS) model to a highly organized cartel, employing custom tooling, advanced evasion techniques, and trusted cloud services to maintain persistence. Cybersecurity experts noted that this approach mirrors state-sponsored threat actor tradecraft, moving beyond opportunistic attacks to long-term, stealthy operations.
The abuse of Microsoft Teams’ infrastructure highlights a growing trend where attackers exploit implicit trust in enterprise collaboration tools, making detection significantly harder. As one expert observed, security systems often whitelist traffic to Microsoft domains, allowing malicious activity to slip through undetected.
Source: https://hackread.com/dragonforce-ransomware-microsoft-teams-malware/
Palo Alto Networks Unit 42 cybersecurity rating report: https://www.rankiteo.com/company/unit42
Huawei cybersecurity rating report: https://www.rankiteo.com/company/huawei
American Tower cybersecurity rating report: https://www.rankiteo.com/company/american-tower
"id": "UNIHUAAME1781792980",
"linkid": "unit42, huawei, american-tower",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'location': 'US', 'type': 'Services firm'}],
'attack_vector': ['Unpatched SQL/MSSQL vulnerability',
'Initial access broker'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_detected': '2025-12',
'description': 'Cybercriminals tied to the DragonForce ransomware group '
'compromised a US-based services firm in late 2025, leveraging '
'a custom backdoor to hide their command-and-control (C2) '
'traffic within Microsoft Teams’ relay infrastructure. '
'Researchers from Broadcom’s Symantec and Carbon Black '
'identified the attack, marking the first known instance of '
'malware abusing Microsoft’s TURN relay to evade detection.',
'impact': {'data_compromised': True},
'initial_access_broker': {'backdoors_established': True,
'entry_point': ['Unpatched SQL/MSSQL vulnerability',
'Initial access broker'],
'reconnaissance_period': '1-2 months'},
'motivation': 'Financial gain',
'post_incident_analysis': {'root_causes': ['Unpatched SQL/MSSQL vulnerability',
'Abuse of Microsoft Teams’ TURN '
'relay',
'DLL sideloading',
'BYOVD techniques']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'DragonForce'},
'references': [{'source': 'Broadcom’s Symantec and Carbon Black'}],
'response': {'third_party_assistance': 'Broadcom’s Symantec and Carbon Black'},
'threat_actor': 'DragonForce ransomware group',
'title': 'DragonForce Ransomware Group Abuses Microsoft Teams to Conceal '
'Malicious Traffic in US Firm Breach',
'type': 'Ransomware',
'vulnerability_exploited': ['CVE-2023-52271',
'CVE-2025-61155',
'CVE-2025-1055']}