Security researchers say the ransomware group used a custom backdoor to disguise malicious traffic through legitimate Microsoft Teams infrastructure.
DragonForce malware has been linked to a new ransomware intrusion in which attackers hid malicious communications inside Microsoft Teams relay infrastructure, according to security researchers.
The activity involved a custom remote access trojan called Backdoor.Turn. Researchers said the tool helped attackers route command-and-control traffic through Microsoft’s legitimate Teams-related relay services during an attack on a U.S. services company.
The tactic is significant because security teams monitoring the victim’s network would mainly see outbound traffic to Microsoft servers. That made the intrusion harder to detect while the attackers maintained access for several weeks.
Researchers said the case appears to be the first known abuse of Microsoft Teams TURN relay infrastructure in a live attack. It also shows how ransomware groups are increasingly blending malicious activity with trusted cloud and collaboration services to avoid detection.
DragonForce malware hides behind trusted traffic
The DragonForce malware campaign stood out because it used legitimate Microsoft Teams infrastructure as part of its communication chain.
Backdoor.Turn obtained an anonymous Teams visitor token and used Microsoft relay services to help establish a connection. From a defender’s point of view, the traffic could look like normal communication with trusted Microsoft systems rather than a direct connection to an attacker-controlled server.
That approach gives attackers a major advantage. Many organizations allow Microsoft 365 and Teams traffic by default because these services are essential for daily work. If malicious traffic is mixed with trusted cloud activity, detection becomes more difficult.
This does not mean Microsoft Teams itself was ransomware. Instead, attackers abused legitimate infrastructure in a way that helped them conceal their own communications.
Backdoor.Turn appears after ransomware deployment
Researchers said Backdoor.Turn was deployed after DragonForce ransomware had already been used in the compromised environment.
That timing suggests the backdoor may have been intended to preserve access, support follow-on activity or give attackers a way to return after the main ransomware stage. It was injected into a legitimate process, helping it blend into the system more effectively.
The backdoor reportedly had several capabilities. It could run commands, launch processes, scan networks, inspect directory environments, move across systems using stolen credentials and collect browser credentials.
For defenders, this makes the case especially serious. A ransomware incident may not end when encryption stops. Attackers may leave tools behind that allow them to re-enter the network later.
DragonForce malware shows advanced evasion tactics
The DragonForce malware operation also used several defense-evasion methods before the final ransomware payload was deployed.
Researchers said the attackers used DLL sideloading, a technique where a malicious file is loaded by a legitimate program. This allowed them to run harmful code while hiding behind trusted software behavior.
They also used a bring-your-own-vulnerable-driver approach, often called BYOVD. In this method, attackers abuse vulnerable drivers to gain deeper system control and interfere with security tools.
The campaign reportedly involved several vulnerable drivers and a custom malware driver designed to look like a legitimate security-related driver. These tactics helped the attackers weaken defenses before stealing data and deploying ransomware.
Attack may have started through a server weakness
The intrusion was first observed in December 2025. Researchers believe the attackers may have entered through a vulnerable SQL or Microsoft SQL Server system, although the exact entry point was not confirmed.
Another possibility is that the attackers bought access from an initial access broker. These brokers specialize in breaking into organizations and then selling that access to ransomware groups or other cybercriminals.
Once inside, the attackers downloaded a ZIP archive containing a legitimate executable and a malicious DLL. They then used that setup to run additional tools for access, reconnaissance and evasion.
The attackers also created new user accounts, changed Windows access settings and modified firewall rules. These steps helped them move deeper into the network and prepare for the ransomware stage.
Why Microsoft Teams relay abuse matters
The abuse of Microsoft Teams relays matters because many companies trust traffic going to major cloud platforms.
Modern attackers know this. Instead of relying only on obvious suspicious connections, they increasingly use legitimate services to hide activity. This can include collaboration tools, cloud storage, remote management platforms and identity services.
For security teams, the lesson is clear. Trusting a domain or service name is no longer enough. Organizations need deeper monitoring that looks at behavior, unusual access patterns, abnormal process activity and unexpected traffic flows.
The DragonForce malware case also shows why endpoint detection, identity monitoring and network visibility must work together. A single control may miss activity that appears normal in isolation.
What organizations should learn from the attack
The DragonForce malware campaign offers several defensive lessons for businesses.
Organizations should monitor unusual Microsoft Teams and Microsoft 365 traffic patterns, especially when connections come from servers or systems that do not normally use those services. They should also review account creation events, firewall changes and suspicious use of legitimate administration tools.
Security teams should prioritize patching exposed SQL servers and other internet-facing systems. They should also watch for vulnerable drivers, unexpected driver loading and attempts to disable endpoint protection.
Most importantly, ransomware response should include a search for persistence tools. If attackers deploy a backdoor after ransomware, restoring files alone may not remove the threat.
DragonForce remains a serious ransomware threat
DragonForce has operated as a ransomware-as-a-service group since 2023. Under that model, affiliates use the group’s tools and services in exchange for sharing ransom proceeds.
The latest case suggests the group’s affiliates are becoming more technically capable and more persistent. By combining data theft, ransomware, vulnerable driver abuse and cloud-based traffic concealment, they can make attacks harder to detect and contain.
The DragonForce malware campaign is a warning for organizations that rely heavily on trusted collaboration platforms. Attackers are no longer only trying to break through the front door. They are also learning how to hide in the normal traffic businesses depend on every day.
