Executive Summary
In December 2025, the DragonForce ransomware group infiltrated a major U.S. services firm by exploiting an SQL-related vulnerability. They deployed a custom Go-based remote access trojan (RAT) named Backdoor.Turn, which concealed command-and-control (C2) traffic within Microsoft Teams' TURN relay infrastructure. This method allowed the attackers to remain undetected for one to two months, as the malicious traffic appeared as legitimate Teams communication. (helpnetsecurity.com)
This incident underscores a significant evolution in cyberattack methodologies, highlighting the increasing sophistication of threat actors in leveraging trusted communication platforms to evade detection. Organizations must reassess their security postures to address such advanced persistent threats.
Why This Matters Now
The exploitation of widely used collaboration tools like Microsoft Teams for malicious purposes represents a growing trend in cyberattacks. As remote work continues to proliferate, the security of these platforms becomes paramount. Organizations must implement robust monitoring and anomaly detection mechanisms to identify and mitigate such stealthy intrusions promptly.
Attack Path Analysis
DragonForce ransomware operators exploited a vulnerability in an SQL or MS-SQL server to gain initial access to a major U.S. services firm. They escalated privileges by deploying a ZIP archive disguised as a tech support hotfix, which executed a DLL side-loading attack to disable security software. The attackers moved laterally within the network, conducting reconnaissance and setting up persistence mechanisms. They established command and control by deploying Backdoor.Turn, a Go-based RAT that concealed C2 traffic within Microsoft Teams relay infrastructure. The attackers exfiltrated sensitive data over a period of one to two months. Finally, they deployed the DragonForce ransomware, encrypting critical systems and demanding a ransom.
Kill Chain Progression
Initial Compromise
Description
Exploited a vulnerability in an SQL or MS-SQL server to gain initial access.
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Ingress Tool Transfer
Web Protocols
Match Legitimate Name or Location
Symmetric Cryptography
Valid Accounts
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Network and Environment Segmentation
Control ID: Pillar 3
NIS2 Directive – Incident Handling
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
DragonForce ransomware targeting Microsoft Teams infrastructure creates severe risks for IT services requiring enhanced egress security and zero trust segmentation controls.
Financial Services
Major U.S. services firm compromise demonstrates critical vulnerability to Teams-based C2 attacks, demanding strengthened multicloud visibility and encrypted traffic monitoring.
Computer Software/Engineering
Go-based RAT exploitation of collaboration platforms exposes software firms to lateral movement risks requiring Kubernetes security and anomaly detection capabilities.
Professional Training
Microsoft Teams relay abuse threatens training organizations' communications infrastructure, necessitating immediate threat detection and east-west traffic security implementation.
Sources
- DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffichttps://thehackernews.com/2026/06/dragonforce-hackers-abuse-microsoft.htmlVerified
- Cybercriminals mask malicious communications through Microsoft Teams relayshttps://www.helpnetsecurity.com/2026/06/16/dragonforce-microsoft-teams-malware-backdoor-turn/Verified
- DragonForce Ransomware Exploited Microsoft Teams to Hide in Attack Against Major Companyhttps://www.infosecurity-magazine.com/news/dragonforce-ransomware-hidden/Verified
- Hidden in Teams: DragonForce Attackers Weaponize Microsoft Teams Relays to Stay Hiddenhttps://www.security.com/blog-post/dragonforce-msteams-backdoorVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been limited to the compromised server, reducing the potential for further exploitation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been constrained, reducing the risk of disabling security mechanisms.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network may have been restricted, limiting access to other systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control communications may have been detected and disrupted, reducing their ability to manage compromised systems.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could have been limited, reducing the volume of data accessed.
The attacker's ability to deploy ransomware may have been constrained, reducing the number of systems affected.
Impact at a Glance
Affected Business Functions
- Client Services
- Internal Communications
- Data Management
Estimated downtime: 14 days
Estimated loss: $5,000,000
Potential exposure of sensitive client information and internal communications data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement East-West Traffic Security to monitor and control lateral movement within the network.
- • Deploy Zero Trust Segmentation to enforce least privilege access and limit the spread of malware.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Integrate Threat Detection & Anomaly Response systems to identify and mitigate threats in real-time.
