Attackers Weaponize Microsoft Teams Relays to Stay Hidden

216.73.217.22

Attackers Weaponize Microsoft Teams Relays to Stay Hidden

· Published 16/06/2026 16:44 · Modified 16/06/2026 17:49

Essential information

Published: 16/06/2026 16:44
Modified: 16/06/2026 17:49
Source / Author: AlienVault
Confidence: 100/100
Report type(s): threat-report
Labels / Tags: backdoor.turn byovd credential theft cve-2023-52271 cve-2025-1055 cve-2025-61155 dll side-loading dragonforce microsoft teams abuse ransomware turn relay vulnerable drivers
Tags: 2026-06-16 CVE-2023-52271 CVE-2025-1055 CVE-2025-61155 backdoor.turn byovd credential-theft dll side-loading dragonforce microsoft teams abuse ransomware turn relay vulnerable drivers
Related entities: 3 vulnerabilities (cve), 26 indicators, 26 observables, 1 intrusion sets (apt), 18 techniques (mitre), 2 malware, 9 others

Description

Attackers deploying DragonForce ransomware against a major U.S. services firm concealed their command-and-control traffic within Microsoft Teams relay infrastructure using Backdoor.Turn, a custom Go-based remote access trojan. This novel technique leverages anonymous Teams visitor tokens and TURN relay servers to mask malicious communications as legitimate Microsoft traffic. The intrusion lasted one to two months, beginning in December 2025 with exploitation of an SQL server vulnerability. Attackers employed sophisticated defense evasion tactics including DLL side-loading with VirtualBox executables and multiple Bring Your Own Vulnerable Driver techniques. They exploited a previously unknown vulnerability in Huawei's HWAuidoOs2Ec.sys driver, along with several other vulnerable drivers, to terminate security processes at kernel level. The campaign demonstrates DragonForce's evolution into a highly capable ransomware cartel with advanced operational maturity.