- Symantec confirms DragonForce ransomware operators used Microsoft Teams TURN relays for covert C2 traffic
- Go-based custom RAT “Backdoor.Turn” masked malicious activity as normal Teams communications
- First use in the wild of the “Ghost Calls” technique; The campaign showcases highly sophisticated crafts with scattered spider links.
Experts have warned that cybercriminals are using Microsoft Teams relays as command and control (C2) infrastructure, combining malicious traffic with benign corporate communications.
In Microsoft Teams, a repeater is a server that helps transport audio and video traffic when a direct connection between participants is not possible (for example, they are on a corporate network or behind a firewall).
According to security researchers Symantec, in December 2025, DragonForce ransomware operators targeted a major US services company, likely abusing an unknown flaw in a SQL or MSSQL server to gain a foothold in their target’s network and, among other things, deploying a custom backdoor malware called ‘Backdoor.Turn’.
Who is DragonForce?
Symantec says this backdoor abuses the Traversal protocol using NAT Relays (TURN), a feature Teams uses when two (or more) participants cannot establish a direct connection. That way, defenders only see Teams traffic that isn’t normally scanned.
beepcomputer He says this technique was first demonstrated in 2025 by Praetorian, who dubbed it “Ghost Calls”, however this is the first time anyone has used it in the wild.
“Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams TURN relay servers to mask command and control traffic,” Symantec said.
DragonForce is an old group, by ransomware standards, first detected in 2023. It has been linked to the infamous Scattered Spider organization and, back in 2025, adopted a drug cartel model.
By offering a white label affiliate model, you allow others to use your infrastructure and malware while branding attacks under your own name. With this model, affiliates do not need to manage the infrastructure and DragonForce takes care of trading sites, malware development, and data leak sites.
Symantec said the attackers running this campaign “use exceptionally sophisticated cyber techniques.” You can find a complete list of Indicators of Compromise (IoC) at this link.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
