To network defenders, the only traffic they could see was outbound connections to legitimate Microsoft Teams servers.
The attackers were on the victim network for between one and two months.
It is relatively unusual to see ransomware attackers using their own custom tools, and it is particularly unusual to see them using a custom tool as sophisticated as Backdoor.Turn.
Attack chainIt appears that the attackers gained access to the victim network by exploiting a vulnerability in either an SQL or MSSQL server.
The activity began on the victim network in December 2025.
Attackers deploying the DragonForce ransomware against a major U.S. services firm hid their command and-control traffic (C&C) inside Microsoft Teams’ own relay infrastructure, using a custom Go-based backdoor that Symantec is tracking as Backdoor.Turn. To network defenders, the only traffic they could see was outbound connections to legitimate Microsoft Teams servers. The attackers were on the victim network for between one and two months.
Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control (C2) server. To our knowledge this is the first time TURN relay infrastructure has been abused this way in the wild. It is relatively unusual to see ransomware attackers using their own custom tools, and it is particularly unusual to see them using a custom tool as sophisticated as Backdoor.Turn.
The attackers also use the Bring Your Own Vulnerable Driver (BYOVD) technique for defense evasion, including a novel attack exploiting the Havoc Process Terminator, in which they use a custom technique to leverage Huawei’s HWAuidoOs2Ec.sys. This driver wasn’t known to be exploited like this in the wild prior to this attack, though its vulnerable status was documented by researchers at Huntress in March 2026, after this attack happened.
Attack chain
It appears that the attackers gained access to the victim network by exploiting a vulnerability in either an SQL or MSSQL server. However, what vulnerability this may have been is not known. It is possible that the attackers may have purchased access from an access broker. The activity began on the victim network in December 2025. Once on the network, they downloaded a .zip archive. This archive contained, among other things, a legitimate VirtualBox/DbgView executable with a malicious DLL that is meant to be side loaded. When executed, the malicious vboxrt.dll downloads code from a list of servers, and that malicious code is used for numerous things, such as securing access, reconnaissance, and evading detection (See Figure 1).
To maintain persistence and resilience, the threat actor performed specific system configurations, including:
Using LimitBlankPassword to allow for easy access to the compromised machines
Performing user/group addition to create another way to access the machines
Modifying firewall rules to facilitate remote access and ensure C&C communication remains unhindered.
The attackers also weaponized DLL hijacking against the VirtualBox application. By forcing a legitimate, signed executable to load their malicious DLL, they bypassed security monitoring and achieved code execution with the high privileges of the trusted VirtualBox process.
