DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

DragonForce hackers are leveraging Microsoft Teams relay infrastructure to hide their Backdoor.Turn command-and-control (C2) traffic. This tactic was identified by Symantec and Carbon Black, which noted the use of a custom Go-based remote access trojan (RAT) to achieve this concealment. The backdoor was reportedly deployed against a significant U.S. services firm, though the specific company has not been named. The attackers exploit the legitimate communication channels of Microsoft Teams, making it difficult for security defenses to distinguish malicious traffic from normal user activity. This method allows the threat actors to maintain persistent access to compromised systems and exfiltrate data or execute further malicious commands without immediate detection. The use of cloud-based services like Microsoft Teams for C2 infrastructure is a growing trend among sophisticated threat groups seeking to evade traditional security measures. Symantec and Carbon Black's analysis highlights the evolving tactics of ransomware groups like DragonForce, emphasizing the need for advanced threat detection and response capabilities that can analyze network traffic for anomalous behavior, even within encrypted or legitimate communication platforms.