DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure. According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was

The report describes DragonForce ransomware operators using a custom Go-based RAT, Backdoor.Turn, to tunnel command-and-control traffic through legitimate Microsoft Teams TURN relay infrastructure, making malicious traffic appear as normal Teams connections.[1][2][9] Security products and defenders therefore primarily see outbound connections to trusted Microsoft Teams servers, complicating detection and response.[2][3] For CyberSE.AI, the key implication is that AI-enabled or collaboration-integrated SaaS environments (including AI copilots or bots embedded in Teams) are exposed to abuse of underlying SaaS transport and identity mechanisms for stealthy C2 and persistence; organizations need to harden network egress controls, SaaS logging, and identity protections around collaboration platforms before layering AI agents on top of them.