The Innovation

DragonForce, the ransomware operation that has rapidly scaled through 2026, has introduced something genuinely new to the threat landscape: a custom Go-based remote access trojan called Backdoor.Turn — the first malware that uses Microsoft Teams TURN (Traversal Using Relays around NAT) relay servers as its command-and-control channel.

TURN relays are the infrastructure that carries legitimate Microsoft Teams video and audio calls. When two Teams users connect for a video meeting, the media traffic — the actual audio and video streams — routes through Microsoft’s globally distributed TURN relay servers. These are not edge cases or obscure services. They are the backbone of real-time communication for hundreds of millions of users worldwide.

Backdoor.Turn exploits this infrastructure by obtaining anonymous visitor tokens through Skype identity services — a legitimate authentication path that Microsoft provides so guest users can join Teams calls without a full organizational account. With these tokens in hand, the RAT establishes a TURN relay session and tunnels a QUIC connection through it back to the attacker’s actual C2 server. To any network monitoring tool inspecting the traffic, the C2 session is largely indistinguishable from legitimate Teams media traffic.

This is architecturally novel in a way that previous C2 innovations were not. Threat actors have used legitimate services for C2 before — Slack, Discord, Telegram, cloud storage APIs — but those channels were detectable because the traffic patterns differed from normal usage. A binary pulling commands from a Slack webhook every 30 seconds does not look like a human using Slack. A RAT uploading exfiltrated data to a Google Drive folder does not match typical user file-sync behavior. Network security tools could flag these anomalies because the protocol usage was correct but the behavior was wrong.

Backdoor.Turn eliminates that gap. The TURN relay protocol is designed to carry opaque media streams. The volume, timing, and packet characteristics of a C2 session match a legitimate media call because they use the same protocol in the same way. The traffic flows to Microsoft-owned IP ranges. The destination is trusted. The protocol is expected. The pattern is normal. The C2 is hiding inside the organization’s own collaboration infrastructure.

The Attack Chain

The DragonForce kill chain that leads to Backdoor.Turn deployment follows a four-stage sequence. Each stage uses known, documented techniques. Nothing in the attack chain is novel except the C2 channel itself — and that is precisely the point. Every stage generates alerts in a reasonably instrumented environment.

The DragonForce Kill Chain

  • SQL/MSSQL exploit: Initial access alert fires in database monitoring.
  • BYOVD (vulnerable signed driver): Endpoint protection tampering alert fires.
  • Lateral movement: Network/identity anomaly alerts fire.
  • Teams TURN C2: Network monitoring sees… a Teams call.

Why the C2 Channel Passes Inspection

The effectiveness of Backdoor.Turn’s C2 channel rests on a stack of architectural advantages that compound to make detection through conventional network monitoring effectively impossible.

Microsoft Teams TURN relay traffic uses standard STUN/TURN protocols on expected ports. These are the same protocols, on the same ports, that every legitimate Teams call in the organization uses. There is no protocol anomaly to flag. The traffic flows to Microsoft-owned IP ranges — IP blocks that are universally allowlisted in enterprise environments because blocking them would break Teams, Outlook, SharePoint, and the rest of the Microsoft 365 ecosystem. No network security team is going to blocklist Microsoft’s media relay infrastructure.

The volume and timing patterns match legitimate media sessions. A TURN relay session carrying C2 commands looks, at the packet level, like a TURN relay session carrying video. The anonymous visitor tokens that Backdoor.Turn uses to authenticate are a legitimate Teams feature — guest users join Teams calls this way every day in every organization that allows external collaboration. There is nothing anomalous about a new visitor token appearing on the network.

Network security tools that flag C2 based on destination reputation see a trusted Microsoft IP. Tools that flag based on protocol anomaly see standard STUN/TURN. Tools that flag based on traffic pattern analysis see what looks like a media session. Every layer of network-based C2 detection fails simultaneously — not because the tools are broken, but because the C2 traffic genuinely is what it appears to be at the network layer: a Teams media relay session.

The Structural Problem

Here is where the DragonForce kill chain becomes a SOC problem rather than a detection engineering problem.

The SQL exploitation fires a database alert. The BYOVD fires an endpoint alert. The lateral movement fires a network and identity alert. The C2 traffic looks normal. These alerts arrive in different queues, evaluated by different analysts (or different automation rules), at different times. In a SOC processing thousands of alerts daily, no single analyst sees all four signals.

No single alert is urgent enough to escalate on its own. The SQL exploitation alert gets triaged as a vulnerability finding — patch the database, move on. The BYOVD driver load is suspicious but the driver is signed. The lateral movement looks like admin activity within policy. Each alert, evaluated in isolation, has a reasonable benign explanation. Each gets closed or deprioritized.

The connection between an endpoint protection bypass on Day 1 and an identity anomaly on Day 3 and unusual credential patterns on Day 5 requires investigation that spans days and crosses telemetry boundaries. It requires an analyst — or a system — that asks: “Is the host where the BYOVD alert fired the same host where the SQL exploitation was reported three days ago? And is the account now moving laterally the same account that was active on that host?” In a high-volume alert environment, that question almost never gets asked. The alerts are already closed.

What Cross-Telemetry Correlation Catches

The DragonForce kill chain is not invisible. It is uninvestigated. A system capable of correlating across telemetry boundaries and across time would surface the attack at multiple points:

The Detection Math

  • SQL exploitation alert: triaged in database monitoring queue → low-severity, patching recommended.
  • BYOVD driver load: triaged in endpoint queue → suspicious but driver is signed.
  • Lateral movement: triaged in network queue → admin activity, within policy.
  • Teams TURN traffic: not flagged → legitimate Microsoft infrastructure.
  • Combined: a complete ransomware kill chain in progress.

Closing the Gap

This is the problem Intruex was built to solve.

AI agents investigate every alert by automatically correlating activity across endpoint, identity, and network telemetry sources — not just in the moment the alert fires, but over days and weeks of historical context. The quiet signals that DragonForce depends on SOCs evaluating in isolation get connected into a coherent attack narrative.

When the SQL exploitation alert fires, the investigation doesn’t stop at “patch the database.” It automatically checks for subsequent endpoint anomalies on the same host. It looks for identity changes — new accounts, new tokens, new authentication patterns — originating from that host. It examines network behavior shifts: new destinations, new protocols, new session patterns. It does this across the full environment, across the full telemetry surface, across the full time window.

When the BYOVD alert fires on the same host two days later, the investigation already has context. The alert is not triaged in isolation — it is triaged in the context of a host that was the target of a SQL exploitation attempt 48 hours prior. The severity escalation is automatic because the correlation is automatic.

No alert gets closed in 90 seconds with zero context. Every alert is investigated with the full weight of cross-telemetry correlation, historical enrichment, and behavioral analysis — the same investigation that a senior analyst would perform if they had unlimited time, unlimited access to every data source, and unlimited ability to remember what happened on every host last week.

The Core Question

If DragonForce exploited a database server in your environment tonight and established a C2 channel through your own Teams infrastructure over the next 72 hours — with each individual alert looking routine — how many days would pass before anyone connected the SQL exploitation, the driver tampering, and the anomalous Teams media sessions into a single investigation? If the answer is “we wouldn’t,” the ransomware deployment clock is already running.

Source: Symantec Threat Hunter Team analysis, June 2026