Ransomware gang hides C2 traffic via Teams relays
🔒 Symantec warns that DragonForce ransomware used a custom Go-based backdoor, Backdoor.Turn, to hide command-and-control traffic by abusing Microsoft Teams' TURN relay infrastructure. The malware obtains anonymous Teams visitor tokens and tunnels C2 communications through legitimate TURN relays, making malicious traffic appear as normal Teams activity. The campaign, observed in December 2025, also used BYOVD drivers for kernel privileges and extensive post-exploitation tools to exfiltrate data and deploy ransomware.
