Hackers Weaponize Microsoft Teams Relay to Conceal Malware Traffic

Threat actors routinely exploit trusted cloud services to evade detection. Now, a newly uncovered campaign demonstrates how Microsoft Teams infrastructure can be weaponized to conceal malicious traffic.

According to the Symantec Threat Hunter Team, a new Go-based remote access Trojan (RAT) named Backdoor.TURN leverages Microsoft Teams TURN relay servers to disguise command-and-control (C2) communications as legitimate enterprise activity.

The campaign is linked to a DragonForce ransomware attack targeting a major U.S. services firm, during which attackers remained undetected for up to 2 months.

As reported by Symantec, instead of directly communicating with attacker-controlled infrastructure, the malware routes traffic through Microsoft’s own servers, making it appear as normal outbound connections to Teams services.

Backdoor. Turn operates by requesting an anonymous visitor token from Microsoft’s Skype-backed identity services.

Hackers Weaponize Microsoft Teams

As highlighted by Symantec researchers, the malware uses this token to authenticate with Teams infrastructure and establish a relay session via TURN servers.

Once the connection is established, it initiates a QUIC session with the real C2 server. This technique ensures that network defenders only observe traffic to legitimate Microsoft domains, effectively masking malicious activity.

The initial access vector remains unclear, but Symantec analysis suggests the attackers likely exploited an unknown SQL or MSSQL server vulnerability or obtained access through an initial access broker.

The intrusion began in December 2025, after which the attackers deployed a malicious ZIP archive containing a legitimate VirtualBox executable and a weaponized DLL.

Through DLL sideloading, malicious code was executed under a trusted process, enabling stealthy persistence. Following execution, the attackers carried out reconnaissance, credential harvesting, and lateral movement across the network.

They also modified firewall rules, created additional user accounts, and adjusted system settings to maintain long-term access. Symantec noted that these changes were designed to ensure resilience and uninterrupted C2 communication.

A key highlight of the campaign is its advanced defense evasion strategy. The attackers used a Bring Your Own Vulnerable Driver (BYOVD) technique to turn off security tools at the kernel level.

Notably, Symantec researchers observed a novel exploitation of the Huawei driver HWAuidoOs2Ec.sys, described as a “Havoc Process Terminator.”

Additional drivers linked to CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055 were also abused. The attackers further deployed a custom malicious driver, Abyss Worker, disguised as a legitimate Palo Alto driver, to terminate security processes.

The Backdoor.Turn payload was injected into the legitimate DbgView64.exe process and deployed after ransomware execution.

According to Symantec Threat Hunter Team, this suggests the malware may be used for persistence or to enable future access, potentially for resale to other threat actors.

The Backdoor supports capabilities such as remote command execution, Active Directory enumeration, network scanning, credential theft, and lateral movement.

The technique is inspired by the “Ghost Calls” research presented at Black Hat 2025, which demonstrated how web conferencing platforms could be abused for covert communication.

However, Symantec emphasized that this is the first known real-world case of Microsoft Teams TURN relay infrastructure being used in this manner.

DragonForce, active since 2023 and tracked by Symantec as Hackledorb, has evolved into a highly structured and sophisticated threat group.

Its use of trusted cloud infrastructure combined with novel exploitation techniques highlights a growing trend in modern cyberattacks.

As noted by the Symantec Threat Hunter Team, blending malicious traffic with legitimate services significantly reduces defenders’ visibility, underscoring the need for behavioral detection and stricter controls over vulnerable drivers and enterprise communication platforms.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.