Hidden in Teams: DragonForce Attackers Weaponize Microsoft Teams Relays to Stay Hidden
Symantec, Tuesday, June 16th, 2026
DragonForce attackers used a Go-based backdoor to hide C2 traffic inside Microsoft Teams TURN relay infrastructure.
The DragonForce ransomware group (tracked as Hackledorb) compromised a major U.S. services firm using novel evasion techniques. Their custom backdoor, Backdoor.Turn, obtained anonymous Teams authentication tokens and routed malicious traffic through legitimate Microsoft TURN relay servers, making it nearly invisible to network defenders.
The attackers stayed undetected for one to two months while also deploying multiple vulnerable drivers for defense evasion, including a previously unknown exploitation of a Huawei driver. Symantec calls it the first documented case of TURN relay infrastructure abuse in real attacks.