DragonForce crews hid C2 inside Microsoft Teams traffic with a Go backdoor
A Symantec case shows custom malware using legitimate Teams infrastructure to keep defenders blind.
Symantec reports DragonForce ransomware operators deployed a custom Go-based backdoor, Backdoor.Turn, after gaining access to a major US services company. The backdoor routed command-and-control activity through Microsoft Teams and Skype back-end services, making malicious traffic look like routine corporate collaboration.
Cybercriminals have a new camouflage layer, and it is painfully familiar: Microsoft Teams. Symantec says DragonForce attackers gained access to a major US services company and spent up to two months operating inside that environment while disguising their command-and-control activities as legitimate Teams traffic.
The key is the custom Go-based backdoor Symantec tracks as "Backdoor.Turn." Instead of calling out to attacker-controlled infrastructure that might trip alarms, the backdoor hid its activity inside traffic associated with Microsoft’s widely used collaboration platform. To anyone monitoring network traffic, the compromised systems appeared to communicate only with legitimate Microsoft servers.
Here is why this matters beyond the “cool trick” factor. Many security programs build defenses around what should be normal: where data goes, what servers are used, and what patterns stand out as suspicious. Symantec explicitly points to the outcome of Backdoor.Turn’s configuration: security products only see command-and-control traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors. In other words, the defenders did not just lose visibility. They were staring at the wrong kind of evidence.
Symantec says this intrusion began when attackers gained access to the victim’s environment before deploying Backdoor.Turn to maintain communication with compromised systems. After that, the ransomware operation became the next phase. Symantec says the attackers installed Backdoor.Turn on systems after deploying DragonForce ransomware, potentially giving them a way back into compromised networks or access they could later sell to other criminals. That sequencing is an important signal for executives: ransomware is not always the finish line. Sometimes it is the moment when persistence moves into the foreground.
The mechanics are also specific, and that is where incident response teams will care. To connect to Microsoft’s infrastructure, the backdoor first requested an anonymous visitor token from Microsoft Teams and Skype back-end services. It then used a Microsoft-operated TURN relay server, infrastructure typically used to help establish communication between users. After that setup, the backdoor established a direct QUIC connection to a malicious command-and-control server.
Symantec describes this as the first known case of malware using this particular technique. That “first known case” language is a classic early-warning flare. It does not mean defenders are safe. It means this pattern is still emerging, which usually implies more experimentation to come. And for organizations that rely on cloud collaboration, the stakes are awkwardly high: Teams traffic is often ubiquitous, encrypted, and treated as business-as-usual. Making it the carrier for command-and-control is like using the company’s internal mailroom to ship stolen goods. Nothing looks strange until you know what you are looking for.
This case lands in a broader ransomware ecosystem that has been getting more industrial and more affiliate-friendly. Symantec notes that DragonForce has become increasingly prominent over the past year, operating a ransomware-as-a-service model that allows affiliates to conduct attacks under the DragonForce banner. Symantec also links it to the Scattered Spider group, which has carried out high-profile attacks, including intrusions targeting major retailers in the UK. While Symantec did not identify the victim beyond describing it as a major US services company, and did not say whether the Teams-based channel appeared in other DragonForce incidents, the implication is consistent: operators keep looking for ways to blend into the software and infrastructure organizations trust most.
For boards and executive teams, this shifts the risk conversation in two ways. First, it increases the chance that “benign-looking” infrastructure will be weaponized, which can turn standard telemetry and alerting into a false comfort. Second, it reinforces that post-ransom access and re-entry are part of the business model, meaning recovery plans need to treat the compromise as potentially ongoing, not concluded when files are encrypted. The question for peers with enterprise Microsoft 365 footprints is straightforward: if your normal collaboration traffic can mask command-and-control, how confidently can your security team distinguish real business usage from the malicious version of it?
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Technology
Intel plus Nvidia chiplets hit early 2028, aiming for CES and handheld PC upgrades
A leak pegs Intel's Nvidia-graphics processors to Q1 2028, with rivals from Nvidia and AMD also landing.
Genesis AI debuts Eno, a wheeled robot rejecting humanoid hype and betting on manipulation
Instead of building robots that walk like humans, Genesis AI rolls out a wheeled design meant to handle tasks with human-like dexterity.
Mobileye will launch its own robotaxi service, targeting a 2027 U.S. debut
The self-driving supplier moves up the stack, and decision-makers should care about regulation, timelines, and capital risk.