~/f4n6 $ grep -r "Ransomware gang abuses Microsoft Teams relays to hide malicious traffic" ./investigations/ --include="*.md"

Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

Jeff Davies 16 Jun 2026 8 min read

1. Executive summary

DragonForce ransomware operators have been observed deploying a custom Go-based remote access trojan (RAT) dubbed Backdoor.Turn that tunnels command-and-control (C2) traffic through Microsoft Teams' TURN relay infrastructure, making malicious communications appear as legitimate Microsoft Teams traffic to defenders. The attack, observed in December 2025 against a major U.S. services company and disclosed by Symantec on 16 June 2026, begins with exploitation of an unknown flaw in an SQL or MSSQL server, escalates via Bring Your Own Vulnerable Driver (BYOVD) techniques using four named vulnerable drivers, performs reconnaissance and credential theft, exfiltrates data, and finally deploys DragonForce ransomware. EMEA financial services firms are at elevated risk because Microsoft Teams is near-ubiquitous in the sector, the TURN relay abuse evades network detection controls that whitelist Microsoft infrastructure, and the BYOVD drivers terminate EDR/AV processes at the kernel level. Attribution to DragonForce is unconfirmed in our reference data (no MITRE ATT&CK profile exists for this actor); the reported link to Scattered Spider is similarly unverified.

2. Regulatory framing

Article Trigger (the fact in this item) Practical impact
DORA Art. 17: ICT-related incident management process A confirmed intrusion involving ransomware deployment, data exfiltration, and credential theft requires a documented ICT incident management process. Activate the ICT incident management process; document detection, containment, eradication, and recovery steps; preserve evidence for post-incident review.
DORA Art. 18: classification of ICT-related incidents and cyber threats The incident involves ransomware, data exfiltration, and abuse of a widely-used ICT third-party service (Microsoft Teams). Classify the incident against the documented taxonomy; flag as major if it meets criteria for service disruption, data loss, or reputational impact.
DORA Art. 19: reporting of major ICT-related incidents to competent authorities A ransomware event with data exfiltration against a financial entity likely meets the threshold for a major ICT-related incident. Prepare initial notification within the regulatory reporting window; ensure subsequent reports (interim and final) cover root cause, impact, and remediation.
DORA Art. 24: digital operational resilience testing — general requirements The attack chain demonstrates gaps in detection (TURN abuse) and endpoint protection (BYOVD). Validate that TURN relay traffic is covered in purple-team, BAS, or red-team exercises; ensure BYOVD scenarios are in scope.
DORA Art. 28: ICT third-party risk — general principles Microsoft Teams is a critical ICT third-party service; abuse of its TURN infrastructure creates third-party risk. Reassess the risk profile for Microsoft Teams and other conferencing/collaboration platforms; ensure contractual and monitoring controls are in place.
DORA Art. 29: preliminary assessment of ICT concentration risk Microsoft Teams represents a concentration point: abuse of its TURN relays can bypass controls that trust Microsoft IP ranges. Assess whether the firm has concentration risk on Teams; consider whether alternative or complementary channels are needed for sensitive operations.
DORA Art. 30: key contractual provisions with ICT third-party providers Microsoft is an ICT third-party provider; contractual provisions for incident notification, audit, and security obligations apply. Verify contractual notification clauses with Microsoft are honoured; engage Microsoft for any takedown or forensic support.
NIS2 Art. 21(2)(d): supply chain security measures The attack chain abuses third-party drivers (Huawei, Topaz, K7 Security, and a custom driver masquerading as Palo Alto) via BYOVD. Ensure supply-chain security measures cover driver allowlisting, attestation, and review of third-party kernel components.
NIS2 Art. 23: incident reporting obligations A ransomware incident with data exfiltration triggers incident reporting obligations. File early warning within 24 hours, incident notification within 72 hours, and final report within one month per the applicable timeline.
UK NIS 2018: UK Network and Information Systems Regulations — OES/RDSP duties UK financial sector entities classified as OES/RDSP have incident handling duties under UK NIS. Ensure incident reporting to the UK competent authority is integrated with DORA reporting timelines.

3. Technical analysis & attack chain

Attack chain (confirmed steps)

  1. Initial access — SQL/MSSQL exploitation. The attacker exploited an unknown flaw in an SQL or MSSQL server to obtain an initial foothold. The specific CVE is not disclosed in the source material.
  2. Tool staging. A ZIP archive was downloaded containing a legitimate VirtualBox/DbgView executable and a malicious DLL for sideloading.
  3. Persistence and access hardening. The attacker created rogue users, abused the LimitBlankPassword Windows security policy to enable easy access, and modified firewall rules.
  4. Defence evasion via BYOVD. Multiple vulnerable drivers were loaded to obtain kernel-level privileges and terminate security tools: - Huawei HWAuidoOs2Ec.sys ("Havoc Process Terminator") - Topaz Antifraud wsftprm.sys (CVE-2023-52271) - Tower of Fantasy GameDriverx64.sys (CVE-2025-61155) - K7 Security K7RKScan.sys (CVE-2025-61155 — note: source text lists this CVE for both GameDriverx64 and K7RKScan; treat the K7RKScan CVE assignment as unconfirmed pending vendor advisory) - A custom malicious driver ABYSSWORKER, masquerading as a legitimate Palo Alto driver
  5. Backdoor.Turn deployment. The Go-based RAT was injected into DbgView64.exe (a legitimate Sysinternals debugging utility) after ransomware deployment, suggesting persistence or future-access intent.
  6. C2 via Microsoft Teams TURN. Backdoor.Turn obtains an anonymous Microsoft Teams visitor token, uses a legitimate Microsoft TURN relay during connection setup, then connects to the attacker's C2 server. Defenders see traffic associated with Microsoft Teams infrastructure.
  7. Reconnaissance and credential theft. Capabilities include command execution, process creation, network scanning, TLS certificate capturing, LDAP/Active Directory searching, website title collection, and browser credential theft.
  8. Impact. Data exfiltration followed by DragonForce ransomware deployment and encryption of victim systems.

Technical specifics

TURN relay abuse mechanism. Backdoor.Turn exploits the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to relay messages when direct client-to-client connectivity fails (e.g., clients behind NAT). The malware obtains an anonymous Teams visitor token, negotiates a TURN relay allocation through legitimate Microsoft infrastructure, and tunnels C2 traffic through it. This is the first known in-the-wild malware to abuse Microsoft Teams TURN relays for C2; the technique was demonstrated in 2025 by Praetorian under the name "Ghost Calls."

Backdoor.Turn capabilities (confirmed)

  • Command execution
  • Process creation
  • Network scanning
  • TLS certificate capture
  • LDAP/Active Directory enumeration
  • Website title collection
  • Browser credential theft

Sideloading vector. A ZIP archive containing a legitimate VirtualBox/DbgView executable paired with a malicious DLL enables DLL sideloading — the executable loads the attacker's DLL under the guise of a trusted binary. DbgView64.exe is later used as the injection host for Backdoor.Turn.

BYOVD driver inventory

Driver Vendor CVE Purpose
HWAuidoOs2Ec.sys Huawei Not disclosed Kernel-level privileges, security tool termination ("Havoc Process Terminator")
wsftprm.sys Topaz Antifraud CVE-2023-52271 Kernel-level privileges, security tool termination
GameDriverx64.sys Tower of Fantasy CVE-2025-61155 Kernel-level privileges, security tool termination
K7RKScan.sys K7 Security CVE-2025-61155 (per source; unconfirmed) Kernel-level privileges, security tool termination
ABYSSWORKER Custom (masquerades as Palo Alto) N/A Custom malicious driver for evasion

Persistence and policy abuse. The attacker created rogue user accounts, modified the LimitBlankPassword security policy (which controls whether accounts with blank passwords can log on via physical console), and altered firewall rules to maintain access.

Unconfirmed or single-sourced claims. The link between DragonForce and Scattered Spider is reported by Symantec but is not corroborated in our reference data; treat as unconfirmed. The specific SQL/MSSQL exploitation vector and CVE are undisclosed. The assignment of CVE-2025-61155 to both GameDriverx64.sys and K7RKScan.sys in the source text is likely a reporting artefact; verify against vendor advisories before actioning.

4. Mitigation & containment

P1 — within 24 hours (containment)

  • Block BYOVD driver loading. Deploy a driver allowlist or blocklist via WDAC/AppLocker to prevent loading of HWAuidoOs2Ec.sys, wsftprm.sys, GameDriverx64.sys, K7RKScan.sys, and any unsigned driver claiming to be a Palo Alto driver. Microsoft's recommended blocklist guidance for BYOVD applies.
  • Hunt for Backdoor.Turn artefacts. Search endpoints for DbgView64.exe processes with anomalous child processes, unsigned DLLs loaded by VirtualBox/DbgView binaries, and the string Backdoor.Turn in process memory or on disk.
  • Audit LimitBlankPassword policy. Check secpol.msc → Local Policies → Security Options → "Accounts: Limit local account use of blank passwords to console logon only" — revert any unauthorised changes.
  • Audit firewall rules. Review Windows Firewall rules for unauthorised additions; remove any allowing attacker C2.
  • Audit local user accounts. Enumerate local and domain accounts for rogue additions; disable and remove any unauthorised.
  • Network containment. If compromise is confirmed, isolate affected hosts and block egress to non-Microsoft TURN relay endpoints; allowlist known Microsoft Teams TURN IP ranges only after validating traffic patterns.

P2 — within 72 hours (remediation)

  • Patch vulnerable drivers. Apply vendor fixes for CVE-2023-52271 and CVE-2025-61155 where available; remove or replace affected drivers.
  • SQL/MSSQL hardening. Apply the latest security updates to SQL Server / MSSQL instances; review service accounts for least privilege; enable auditing on xp_cmdshell and similar high-risk features.
  • Credential rotation. Force rotation of all credentials accessible from compromised hosts, including browser-stored credentials, service accounts, and any credentials in AD that the compromised host could reach.
  • Teams tenant review. Review Microsoft 365 audit logs for anonymous Teams visitor token issuance and unusual TURN relay usage; engage Microsoft for tenant-level forensic support if abuse is confirmed.

P3 — within 7 days (resilience)

  • Egress filtering for TURN. Implement network controls that distinguish legitimate Teams TURN traffic from anomalous patterns (e.g., TURN allocations outside business hours, from non-Teams endpoints, or with unusual relay durations).
  • EDR tuning. Add detection rules for DLL sideloading into DbgView64.exe, VirtualBox executables, and other known LOLBins; alert on unsigned driver loads.
  • Tabletop exercise. Run a scenario exercising the TURN relay abuse and BYOVD chain to validate detection and response playbooks.

5. Indicators of compromise

Type Value Confidence Source
malware Backdoor.Turn (Go-based RAT) High Symantec / BleepingComputer
driver HWAuidoOs2Ec.sys (Huawei) High Symantec / BleepingComputer
driver wsftprm.sys (Topaz Antifraud) High Symantec / BleepingComputer
driver GameDriverx64.sys (Tower of Fantasy) High Symantec / BleepingComputer
driver K7RKScan.sys (K7 Security) High Symantec / BleepingComputer
driver ABYSSWORKER (custom, masquerades as Palo Alto driver) High Symantec / BleepingComputer
filename DbgView64.exe (used as injection host) High Symantec / BleepingComputer
filename VirtualBox executable (sideloading vector) High Symantec / BleepingComputer
cve CVE-2023-52271 High Symantec / BleepingComputer
cve CVE-2025-61155 High Symantec / BleepingComputer
cve CVE-2025-1055 High Symantec / BleepingComputer 
malware  Backdoor.Turn
driver   HWAuidoOs2Ec.sys
driver   wsftprm.sys
driver   GameDriverx64.sys
driver   K7RKScan.sys
driver   ABYSSWORKER
filename DbgView64.exe
filename VirtualBox
cve      CVE-2023-52271
cve      CVE-2025-61155
cve      CVE-2025-1055

6. Detection

YARA rule

rule AT_2026_06_16_104_BackdoorTurn_Indicators {
    meta:
        author = "Adverse Trace"
        date = "2026-06-16"
        description = "Hunting rule for artefacts associated with DragonForce Backdoor.Turn campaign abusing Microsoft Teams TURN relays"
        reference = "https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/"
    strings:
        $malware_name = "Backdoor.Turn" ascii wide
        $custom_driver = "ABYSSWORKER" ascii wide
        $huawei_driver = "HWAuidoOs2Ec" ascii wide
        $topaz_driver = "wsftprm" ascii wide
        $tower_driver = "GameDriverx64" ascii wide
        $k7_driver = "K7RKScan" ascii wide
        $dbgview = "DbgView64.exe" ascii wide nocase
        $virtualbox = "VirtualBox" ascii wide nocase
    condition:
        3 of them
}

Sigma rule

title: Suspicious DLL Sideloading into DbgView64.exe or VirtualBox Executable
id: AT-2026-06-16-104-001
status: experimental
description: |
  Detects DLL sideloading patterns associated with the DragonForce Backdoor.Turn campaign,
  where a malicious DLL is loaded by legitimate VirtualBox or DbgView64.exe binaries.
author: Adverse Trace
date: 2026-06-16
reference: https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/
logsource:
    product: windows
    category: process_creation
detection:
    selection_image:
        Image|endswith:

            - '\DbgView64.exe'
            - '\VirtualBox.exe'
            - '\VirtualBoxVM.exe'
    selection_load:
        EventID: 7
        ImageLoaded|endswith:

            - '\DbgView64.exe'
            - '\VirtualBox.exe'
            - '\VirtualBoxVM.exe'
    condition: selection_image or selection_load
falsepositives:

    - Legitimate use of DbgView or VirtualBox by developers or IT staff
level: high

7. Sources

  • BleepingComputer — "Ransomware gang abuses Microsoft Teams relays to hide malicious traffic" — https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/ — 16 June 2026

8. Adverse Trace position

Severity: High. The combination of a novel C2 hiding technique (Teams TURN relay abuse), aggressive BYOVD defence evasion across four named vulnerable drivers, and a custom kernel-mode component (ABYSSWORKER) masquerading as a Palo Alto driver represents a meaningful escalation in tradecraft for the DragonForce operation. EMEA financial services clients should treat any confirmed compromise as a major ICT-related incident under DORA and initiate reporting per Art. 19 and NIS2 Art. 23 timelines. Attribution to DragonForce and the reported Scattered Spider link remain unconfirmed in our reference data; we will update this advisory when a MITRE ATT&CK profile is published or further corroboration emerges. Next steps: deploy the YARA and Sigma rules across managed EDR tenants, validate BYOVD driver blocklists, and conduct a focused hunt for TURN relay abuse patterns in Microsoft 365 audit logs.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies