Hidden in Teams: DragonForce Attackers Weaponize Microsoft Teams Relays to Stay Hidden
DragonForce ransomware operators deployed a novel Go-based backdoor called Backdoor.Turn that abuses Microsoft Teams TURN relay infrastructure to hide C2 traffic as legitimate Teams communications. The attack chain involves SQL/MSSQL server exploitation for initial access, DLL sideloading via VirtualBox/DbgView executables, multiple BYOVD techniques for defense evasion including a novel exploit of a Huawei driver, and ultimately DragonForce ransomware deployment. The group demonstrated exceptional sophistication with custom tooling and stealth techniques that evade standard network monitoring.
- domaincomunidadesparentais[.]com[.]brC2 domain for downloading additional tools and payloads during post-compromise stage
- domainglanz-gmbh[.]deC2 domain for downloading additional tools and payloads during post-compromise stage
- domainmysimerp[.]netC2 domain for downloading additional tools and payloads during post-compromise stage
- domainprofessionalhomebasedbusiness[.]comC2 domain for downloading additional tools and payloads during post-compromise stage
- domainprojetosmecanicos[.]com[.]brC2 domain for downloading additional tools and payloads during post-compromise stage
- domainsafefire[.]joC2 domain for downloading additional tools and payloads during post-compromise stage
- domainsocialbizsolutions[.]comC2 domain for downloading additional tools and payloads during post-compromise stage
- domainturnkeyaiagents[.]comC2 domain for downloading additional tools and payloads during post-compromise stage
- ip192[.]36[.]27[.]51Server hosting malicious TechSupV18Fix3.zip archive for initial stage-1 payload delivery
- ip62[.]164[.]177[.]25Backdoor.Turn C2 server — malware establishes direct QUIC session to this IP after relay-assisted setup via Microsoft Teams TURN infrastructure
- sha256048e18416177de2ead251abdf4d89837f6807c6aba4d5b1debe49adfdecbf05cAdditional Backdoor.Turn sample
- sha256087f002df0a02c8c74f3ba5cd99cf29fb9efff38bf57b3d808e34a5dd4200dd2Tower of Fantasy vulnerable driver used in BYOVD attack
- sha256142bac0e2148e0d47891b6cd7311195c4acbe33b700fad54a201c52a2bc46219ADExplore tool used for Active Directory reconnaissance
- sha256252a8bb2eb9c96c5e6cc7cab822e2ed0d508032f9350351221781684e86c03abTopaz Antifraud vulnerable driver (wsftprm.sys) used in BYOVD attack
- sha25665ab49119c845801f29a57e8aa177146b2ffbd289d4278109b146f933380f951Additional ABYSSWORKER driver sample — custom malicious kernel driver masquerading as Palo Alto component
- sha2566bbf10bcbef7ac5102b54c81137859891a3802dbacd888be90f990d50e18b0b4AV killer component — used to terminate security processes as part of defense evasion strategy
- sha2566f9fbe29f8cc2788e2bc9d631e0eea2a8e9837076837b55838005a0e654f0a9eAdditional AV killer sample for terminating security processes
- sha256821da79d727351dd67ce5df7950e9a3de6647a3cf474bb3a093f67507fed92a6Backdoor.Turn — Go-based RAT that abuses Microsoft Teams TURN relay for stealthy QUIC C2 communication; injected into DbgView64.exe process
- sha2568284c8676cc22c4b2e66826ac16986da7ddecba1f2776b16771be17bfdc45dc2ABYSSWORKER driver — custom-built malicious kernel driver masquerading as a legitimate Palo Alto driver for defense evasion
- sha25682b37a92589dfd4d67ca87eb9e52ac8e682e8e60d2211f59074cd5ccc693013bDownloader component — initial stage malware that fetches additional payloads from C2 infrastructure
- sha2568395b621bb4415090f232c59fc41d24ea41a519b58eabe512f3ae7d2fdf049a3ADExplore tool used for Active Directory reconnaissance
- sha2568a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531Havoc Process Terminator — novel custom technique leveraging Huawei HWAuidoOs2Ec.sys driver for kernel-level defense evasion
- sha2569335f61f8ad276d94455c5b6876fea48152c3cea759f2598c8108ee461fa5759Malicious ZIP archive containing initial attack tooling
- sha256aea26980059ef2ad11e99556a4edfa1f8ec769fa9f06aa573b81bedf319954b5Additional Netscan tool sample for network reconnaissance
- sha256b16e217cdca19e00c1b68bdfb28ead53b20adeabd6edcd91542f9fbf48942877K7 Security vulnerable driver (K7RKScan.sys) used in BYOVD attack
- sha256b6628d201c2a68d2a3de2a87de7a5acfe21b101a97928e1c8d5c82102d967383GameDriverx64 vulnerable driver (Tower of Fantasy) used in BYOVD attack
- sha256cd078957167e1af4de39aecdb981cd14156fa81d5a9c6ac51e74ae5b6199a12aMalicious ZIP archive containing initial attack tooling
- sha256ce66b8221446c9b6d83f0ce6382f430e519601641e5daaaf1ca7a8a8806cb0b0Shellcode containing Backdoor.Turn — injected into legitimate DbgView64.exe process for stealth
- sha256d0da2832ae1e13a98f7ce7e33a66c1b0d9797b81f69ece134e4462ea55ac923eNetscan tool used for network reconnaissance during the attack
- sha256d20a3c928761fe00ac522eeb474612b5804cd9108453ea8591106d5d4428428eAdditional sideloaded DLL mimicking VirtualBox
- sha256e45b18c93d187aac5c4486f57483bc87580e15def82a312bfb377ff16eb96b22DragonForce ransomware payload used for data exfiltration and file encryption in the final stage of the attack
- sha256f174c19902523dcf005fa044b6598403a5e5c0a5982398d1bc0dcc5ec1cd351bSideloaded malicious DLL mimicking VirtualBox vboxrt.dll — downloads code from attacker-controlled servers for reconnaissance and defense evasion
- urlhxxp://192[.]36[.]27[.]51/TechSupV18Fix3[.]zipStage-1 malicious ZIP archive download URL containing legitimate VirtualBox/DbgView executables with sideloaded malicious DLL
Detection / Hunteropenrouter
What Happened
A criminal group called DragonForce attacked a large U.S. services company by first breaking in through a database server, then hiding their activities for one to two months before locking the company's files with ransomware. What makes this attack especially dangerous is that the attackers created a custom tool (called Backdoor.Turn) that disguises its communication as normal Microsoft Teams traffic, making it nearly impossible for the company's security tools to detect. They also exploited security flaws in several legitimate software drivers to disable antivirus programs. The victim company's data was stolen and their computers were encrypted. Organizations should review their database server security, ensure vulnerable drivers are blocked, and consider monitoring for unusual Microsoft Teams network activity patterns.
Key Takeaways
- Backdoor.Turn is the first known malware to abuse Microsoft Teams TURN relay servers to mask C2 traffic, making network-level detection extremely difficult
- DragonForce (tracked as Hackledorb) has evolved from RaaS into a formalized cartel with sophisticated tradecraft including custom tools and novel BYOVD techniques
- Attackers employed DLL sideloading via legitimate VirtualBox/DbgView executables to bypass security monitoring and achieve privileged code execution
- A novel 'Havoc Process Terminator' technique leveraging Huawei's HWAuidoOs2Ec.sys driver was used for defense evasion before the driver's vulnerability was publicly documented
- Attackers maintained presence for 1-2 months on the victim network before deploying DragonForce ransomware
Affected Systems
- Microsoft Windows endpoints
- SQL/MSSQL servers (initial access vector)
- Microsoft Teams infrastructure (abused for C2 relay)
- Systems with vulnerable kernel drivers (Huawei HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys, Tower of Fantasy Gamedriverx64.sys, K7 Security K7RKScan.sys)
Vulnerabilities (CVEs)
| CVE | Product | Severity | Description |
|---|---|---|---|
| CVE-2023-52271 | Topaz Antifraud wsftprm.sys kernel driver | Vulnerability in Topaz Antifraud driver exploited via BYOVD to gain kernel-level access for terminating security processes. | |
| CVE-2025-61155 | Tower of Fantasy Gamedriverx64.sys kernel driver | Vulnerability in Tower of Fantasy game driver exploited via BYOVD to gain kernel-level access for defense evasion. | |
| CVE-2025-1055 | K7 Security Anti-Malware K7RKScan.sys kernel driver | Vulnerability in K7 Security Anti-Malware driver exploited via BYOVD to gain kernel-level access for terminating security processes. |
Attack Chain
- Initial Access: Attackers exploit vulnerability in SQL/MSSQL server (or use purchased access) to gain network entry
- Execution: Malicious ZIP archive (TechSupV18Fix3.zip) downloaded containing legitimate VirtualBox/DbgView executables with sideloaded malicious vboxrt.dll
- Persistence: Attackers modify LimitBlankPasswordUse registry value, add users/groups, and alter firewall rules for sustained access
- Defense Evasion: Multiple BYOVD techniques deployed including novel Havoc Process Terminator (Huawei driver), CVE-2023-52271, CVE-2025-61155, CVE-2025-1055, and custom ABYSSWORKER driver to terminate security processes
- C2 and Reconnaissance: Backdoor.Turn injected into DbgView64.exe obtains anonymous Teams visitor token, uses Microsoft TURN relay for stealthy QUIC C2; performs network scanning, LDAP/AD search, credential theft, and lateral movement
- Impact: DragonForce ransomware deployed for data exfiltration and encryption of victim machines
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Symantec Protection Bulletin
No detection rules are reproduced in the article. The article references the Symantec Protection Bulletin for protection updates. Detailed IOC hashes and network indicators are provided for manual blocking and hunting.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | EDR can detect DLL sideloading behavior, process injection into DbgView64.exe, user/group creation, and registry modifications. However, the BYOVD kernel-level defense evasion and the Teams TURN relay C2 masking significantly reduce endpoint visibility. The ABYSSWORKER custom driver and AV killer components may also impair EDR sensors directly. |
| Network Visibility | Low | Backdoor.Turn's abuse of Microsoft Teams TURN relay infrastructure makes C2 traffic appear as legitimate Teams communications. The QUIC session to the real C2 server is established after relay-assisted setup, and the only observable network traffic is outbound connections to legitimate Microsoft Teams servers. Standard network monitoring would not flag this activity. |
| Detection Difficulty | Hard | The combination of legitimate Microsoft Teams infrastructure abuse for C2, DLL sideloading via signed executables, kernel-level BYOVD defense evasion, and custom malicious drivers makes this attack chain exceptionally difficult to detect. Network defenders would see only legitimate Teams traffic. Endpoint detection requires visibility into driver loading, DLL loading patterns, and process injection — all of which the attackers actively attempted to evade. |
Required Log Sources
- Windows Event Logs (Security, System, Application)
- Process creation events (Sysmon Event ID 1, EDR telemetry)
- Image load events (Sysmon Event ID 7 for DLL sideloading detection)
- Driver load events (Sysmon Event ID 6 for BYOVD detection)
- Registry modification events (Sysmon Event ID 12, 13)
- Network connection events (Sysmon Event ID 3)
- Microsoft Teams / Office 365 audit logs for anomalous visitor token requests
- Firewall rule modification logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for processes loading DLLs with names matching legitimate software components (e.g., vboxrt.dll) but from atypical file paths or with unexpected signatures, which may indicate DLL sideloading (T1574.001) | Sysmon Event ID 7 (Image Loaded), EDR DLL load telemetry, file signature verification events | Execution | Medium — legitimate VirtualBox installations will load vboxrt.dll; correlate with unexpected process paths or unsigned DLL variants |
| Consider hunting for DbgView64.exe processes exhibiting network behavior inconsistent with its expected purpose, such as establishing outbound QUIC sessions or communicating with non-Microsoft infrastructure, which may indicate Backdoor.Turn injection (T1055) | Process network connection events, EDR process-network correlation, Sysmon Event IDs 1 and 3 | Command and Control | Low — DbgView64.exe is a debugging utility that should not establish persistent outbound network sessions |
| Consider hunting for systems loading multiple kernel drivers associated with different vendors in a short time window, which may indicate BYOVD activity for defense evasion (T1068, T1547.006) | Sysmon Event ID 6 (Driver Loaded), EDR kernel driver load telemetry, Windows Event Log System events for driver installation | Defense Evasion | Medium — legitimate systems may load various drivers during updates; correlate with security process termination events |
| Consider hunting for modifications to the LimitBlankPasswordUse registry value, especially when combined with new user account creation and firewall rule changes, which may indicate persistence establishment (T1098, T1136, T1562.004) | Sysmon Event IDs 12/13 (Registry Event), Windows Security Event ID 4720 (user created), Windows Firewall event logs | Persistence | Low — this specific registry value modification is uncommon in normal operations |
| Consider hunting for processes requesting Microsoft Teams visitor tokens from Skype-backed identity services without corresponding legitimate Teams client activity, which may indicate Backdoor.Turn C2 setup (T1071.001) | Microsoft Teams / Office 365 audit logs, proxy logs for Teams/Skype identity service API calls, EDR process-to-network correlation | Command and Control | Medium — requires Teams infrastructure logging access; anonymous visitor token requests may occur in legitimate guest access scenarios |
Control Gaps
- Network-based IDS/IPS would not detect C2 traffic routed through legitimate Microsoft Teams TURN relay infrastructure
- Standard firewall rules allowing Microsoft Teams traffic would permit Backdoor.Turn C2 communications
- AV/EDR products may be terminated by BYOVD kernel-level attacks before they can alert on subsequent malicious activity
- SSL/TLS inspection would not reveal the malicious QUIC session content as it is established after relay-assisted setup through legitimate Microsoft infrastructure
- DNS-based security controls would not flag connections to Microsoft Teams relay servers as malicious
Key Behavioral Indicators
- DbgView64.exe process establishing outbound network connections — abnormal for a debugging utility
- VirtualBox executable loading vboxrt.dll from non-standard file paths
- Multiple kernel drivers from different vendors loaded on the same system within a short timeframe
- Security product processes terminating unexpectedly following driver load events
- Anonymous Microsoft Teams visitor token requests originating from non-Teams client processes
- Registry modification of LimitBlankPasswordUse combined with new local user account creation
- Firewall rule modifications enabling remote access following initial compromise indicators
- QUIC protocol sessions originating from processes that do not typically use QUIC (e.g., DbgView64.exe)
False Positive Assessment
Low — The specific combination of DLL sideloading via VirtualBox/DbgView, BYOVD driver exploitation, Teams TURN relay abuse, and DragonForce ransomware deployment creates a highly distinctive attack pattern. Individual indicators such as Teams network traffic or VirtualBox DLL loading may generate false positives, but the full chain of behaviors is unlikely to occur in legitimate operations.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the identified C2 IP (62.164.177.25) and all listed C2 domains at network perimeter controls if applicable to your environment.
- Consider searching endpoint telemetry for the listed file hashes, particularly Backdoor.Turn samples and sideloaded DLLs, to identify potential compromise.
- If your EDR supports host isolation, consider isolating any systems found running DbgView64.exe with unexpected network activity or loading vboxrt.dll from atypical paths.
- Evaluate whether your organization's Microsoft Teams tenant logs can be reviewed for anomalous anonymous visitor token requests from non-Teams processes.
Infrastructure Hardening
- Consider auditing all externally facing SQL/MSSQL servers for unpatched vulnerabilities and enforcing strong authentication including MFA where supported.
- Evaluate implementing driver block rules or Windows Defender Application Control (WDAC) policies to block the specific vulnerable drivers identified (HWAuidoOs2Ec.sys, wsftprm.sys, Gamedriverx64.sys, K7RKScan.sys) if they are not required in your environment.
- Consider monitoring and alerting on modifications to the LimitBlankPasswordUse registry value, especially when correlated with new account creation events.
- If supported by your network security tooling, consider implementing enhanced monitoring for QUIC protocol traffic originating from atypical processes.
- Evaluate whether your SIEM can correlate Microsoft Teams infrastructure connections with endpoint process telemetry to identify processes abusing Teams relay infrastructure.
User Protection
- Consider deploying endpoint detection rules for DLL sideloading behavior, particularly involving legitimate signed executables like VirtualBox and DbgView loading DLLs from unexpected locations.
- If your EDR supports it, consider enabling kernel driver load monitoring and alerting for drivers from unexpected vendors or with known vulnerability status.
- Evaluate whether your security tools can detect and alert on process injection into legitimate debugging utilities like DbgView64.exe.
- Consider reviewing browser credential stores on systems identified as potentially compromised, as Backdoor.Turn has browser credential theft capabilities.
Security Awareness
- Consider incorporating awareness training about the risks of downloading and executing software archives from untrusted sources, even when they appear to contain legitimate tools.
- If applicable to your awareness program, consider educating database administrators about the importance of securing externally facing SQL servers and monitoring for anomalous access patterns.
- Consider updating existing security team training to include awareness of legitimate infrastructure abuse techniques, particularly the use of Microsoft Teams relay infrastructure for C2 masking.
MITRE ATT&CK Mapping
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Lateral Movement
Command and Control
Additional IOCs
- Ips:
192[.]36[.]27[.]51- Server hosting malicious TechSupV18Fix3.zip archive for initial stage-1 payload delivery
- Domains:
projetosmecanicos[.]com[.]br- C2 domain for downloading additional tools and payloads during post-compromise stagesocialbizsolutions[.]com- C2 domain for downloading additional tools and payloads during post-compromise stageprofessionalhomebasedbusiness[.]com- C2 domain for downloading additional tools and payloads during post-compromise stagesafefire[.]jo- C2 domain for downloading additional tools and payloads during post-compromise stageglanz-gmbh[.]de- C2 domain for downloading additional tools and payloads during post-compromise stageturnkeyaiagents[.]com- C2 domain for downloading additional tools and payloads during post-compromise stagecomunidadesparentais[.]com[.]br- C2 domain for downloading additional tools and payloads during post-compromise stagemysimerp[.]net- C2 domain for downloading additional tools and payloads during post-compromise stage
- File Hashes:
048e18416177de2ead251abdf4d89837f6807c6aba4d5b1debe49adfdecbf05c(SHA256) - Additional Backdoor.Turn sampleb6628d201c2a68d2a3de2a87de7a5acfe21b101a97928e1c8d5c82102d967383(SHA256) - GameDriverx64 vulnerable driver (Tower of Fantasy) used in BYOVD attackd20a3c928761fe00ac522eeb474612b5804cd9108453ea8591106d5d4428428e(SHA256) - Additional sideloaded DLL mimicking VirtualBox142bac0e2148e0d47891b6cd7311195c4acbe33b700fad54a201c52a2bc46219(SHA256) - ADExplore tool used for Active Directory reconnaissance8395b621bb4415090f232c59fc41d24ea41a519b58eabe512f3ae7d2fdf049a3(SHA256) - ADExplore tool used for Active Directory reconnaissance9335f61f8ad276d94455c5b6876fea48152c3cea759f2598c8108ee461fa5759(SHA256) - Malicious ZIP archive containing initial attack toolingcd078957167e1af4de39aecdb981cd14156fa81d5a9c6ac51e74ae5b6199a12a(SHA256) - Malicious ZIP archive containing initial attack toolingb16e217cdca19e00c1b68bdfb28ead53b20adeabd6edcd91542f9fbf48942877(SHA256) - K7 Security vulnerable driver (K7RKScan.sys) used in BYOVD attack65ab49119c845801f29a57e8aa177146b2ffbd289d4278109b146f933380f951(SHA256) - Additional ABYSSWORKER driver sample — custom malicious kernel driver masquerading as Palo Alto component6f9fbe29f8cc2788e2bc9d631e0eea2a8e9837076837b55838005a0e654f0a9e(SHA256) - Additional AV killer sample for terminating security processes252a8bb2eb9c96c5e6cc7cab822e2ed0d508032f9350351221781684e86c03ab(SHA256) - Topaz Antifraud vulnerable driver (wsftprm.sys) used in BYOVD attack087f002df0a02c8c74f3ba5cd99cf29fb9efff38bf57b3d808e34a5dd4200dd2(SHA256) - Tower of Fantasy vulnerable driver used in BYOVD attackd0da2832ae1e13a98f7ce7e33a66c1b0d9797b81f69ece134e4462ea55ac923e(SHA256) - Netscan tool used for network reconnaissance during the attackaea26980059ef2ad11e99556a4edfa1f8ec769fa9f06aa573b81bedf319954b5(SHA256) - Additional Netscan tool sample for network reconnaissance
- Registry Keys:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse- Registry value modified to allow passwordless network logons, facilitating easier access to compromised machines
- File Paths:
vboxrt.dll- Malicious sideloaded DLL that mimics legitimate VirtualBox DLL; loaded by signed VirtualBox/DbgView executables to bypass security monitoringHWAuidoOs2Ec.sys- Huawei kernel driver exploited by novel Havoc Process Terminator technique for kernel-level defense evasionwsftprm.sys- Topaz Antifraud kernel driver exploited via CVE-2023-52271 for BYOVD defense evasionGamedriverx64.sys- Tower of Fantasy kernel driver exploited via CVE-2025-61155 for BYOVD defense evasionK7RKScan.sys- K7 Security Anti-Malware kernel driver exploited via CVE-2025-1055 for BYOVD defense evasionTechSupV18Fix3.zip- Malicious ZIP archive delivered as initial payload containing sideloading toolset