
DragonForce Hides C2 Traffic in Microsoft Teams Relays with Backdoor.Turn
DragonForce-linked Backdoor.Turn uses Microsoft Teams’ TURN relay to hide its command-and-control traffic, obtaining an anonymous Teams token and establishing a QUIC connection to the attacker’s C2 server. The intrusion into a major U.S. services firm began with a BYOVD/DLL side-loading chain and included injection into DbgView64.exe for persistence, with initial access likely via an SQL/MS-SQL flaw or an initial access broker. The actors remained on the network for 1–2 months, illustrating a shift toward sophisticated, cartel-like ransomware operations.
