DragonForce, a ransomware gang known for aggressive double-extortion tactics, has escalated its operational sophistication by deploying a custom Go-based backdoor that conceals command-and-control (C2) traffic within legitimate Microsoft Teams communications, according to new research published by Symantec and Security Affairs on June 16 and 17, 2026. The malware, tracked as Backdoor.Turn, marks a significant evolution in stealth techniques, leveraging the ubiquitous collaboration platform to blend malicious activity into everyday enterprise traffic. Security researchers warn that this approach makes detection exceptionally difficult, as the encrypted, peer-to-peer nature of Teams relays provides an ideal cover for adversary operations.

DragonForce: From Brute Force to Stealth

First emerging in late 2025, DragonForce quickly gained notoriety for its high-profile attacks on healthcare and manufacturing organizations. Unlike early ransomware gangs that relied on spray-and-pray phishing, DragonForce invested heavily in initial access brokers and custom tooling. The group’s shift to a custom Go backdoor signals a maturation, prioritizing persistence and evasion over speed. Symantec’s Threat Hunter team documented that Backdoor.Turn is part of a broader campaign targeting Windows-based enterprises, with the malware compiled for x64 architectures and leveraging legitimate Microsoft Graph API calls to interact with Teams.

Go’s popularity among malware authors stems from its cross-compilation capabilities, strong networking libraries, and difficulty in reverse engineering compared to C# or Python payloads. Backdoor.Turn’s use of Go aligns with a broader industry trend observed in malware families like Zerologon-exploiting tools and ransomware such as Conti. The backdoor’s primary function is to fetch encrypted commands from attacker-controlled channels disguised as ordinary Teams chat messages or meeting metadata, making traditional network signatures useless.

Dissecting Backdoor.Turn: A Closer Look at the Custom Go Backdoor

Technical details from the Symantec report indicate that Backdoor.Turn establishes persistence through a combination of scheduled tasks and WMI event subscriptions—a common yet effective technique. On execution, it fingerprints the victim’s environment, collecting local and domain usernames, operating system version, installed security products, and active directory trust relationships. This reconnaissance data is then exfiltrated to the attackers before fetching the first C2 payload.

The backdoor’s C2 channel abuses two core Microsoft Teams features: chat message threading and live meeting relays. When a user in a compromised organization sends or receives a Teams message, Backdoor.Turn intercepts the process and injects small data chunks into the message feedback telemetry—metadata such as read receipts, typing indicators, or status updates. These telemetry packets travel through Microsoft’s global relay network, which uses a mesh of supernodes and NAT traversal techniques to facilitate peer-to-peer media sessions. Because the traffic is encrypted with TLS 1.3 and authenticated via Azure AD tokens, network inspection tools see only legitimate Teams flows.

Commands are wrapped in XOR-encrypted blobs with a fixed key derived from the compromised machine’s SID, ensuring each implant has a unique cipher stream. The backdoor supports a dozen commands, including file upload/download, shell execution, lateral movement via PSRemoting, and the ability to deploy secondary payloads like Cobalt Strike. Notably, the file transfer function uses the same Teams relay channel, chunking exfiltrated data into 4KB segments disguised as components of shared files. This not only circumvents DLP tools but also masks the data exfiltration as normal user activity.

The Abuse of Microsoft Teams Relays: A New Covert Channel

Microsoft Teams relies on a combination of cloud-hosted infrastructure and peer-to-peer connections for real-time communications. For Audio/Video and screen sharing, clients connect through central relays only when direct connectivity is blocked by firewalls or NATs. These relays—known as Microsoft Teams Transport Relays—are designed to ensure quality of service and low latency, and they relay media packets using SRTP encryption. Backdoor.Turn exploits a subtle design choice: the relay infrastructure does not deeply inspect the content of media packets if they are properly encrypted with a valid session token. By encoding C2 instructions into dummy media payloads that appear to be part of a fake voice or video call, the backdoor can communicate with its controllers without ever creating a TCP connection to a malicious IP.

The malicious media streams are not actual calls but synthetically crafted SRTP packets injected into the Teams process memory via process hollowing. This allows the backdoor to bypass both application-level controls and network intrusion detection systems that whitelist Teams traffic. Symantec researchers noted that the C2 sessions often mimic idle call behavior—sending keep-alive packets at intervals matching typical RTP timers—making anomaly detection from flow metadata alone nearly impossible.

One of the most concerning aspects is the backdoor’s ability to establish a persistent, low-bandwidth C2 channel even when the user is not actively in a Teams call. By exploiting background service threads that maintain connectivity for notifications and presence updates, Backdoor.Turn ensures continuous access for attackers to issue commands without raising alarms. This method resembles the living-off-the-land tactics seen in state-sponsored espionage, but now weaponized for financial extortion.

Detection Lessons and Challenges for Blue Teams

The Symantec and Security Affairs reports collectively outline several detection opportunities, but each requires significant logging granularity and behavioral analytics. Traditional indicators of compromise (IOCs) like domain names, IP addresses, or file hashes are largely ineffective because the backdoor uses legitimate infrastructure and its binaries are polymorphic, with each sample compiled with different Go build tags to alter code structures.

Behavioral detection hinges on identifying anomalies in Teams usage patterns. For instance, an endpoint that generates unusually high volumes of telemetry packets or SRTP keep-alive data outside of active calls may indicate injection. Similarly, process access patterns where an unknown executable manipulates memory in the Teams.exe process space should trigger alerts via Windows Defender for Endpoint or Sysmon. However, these signals are subtle and can be lost in the noise of a large enterprise with thousands of concurrent Teams users.

Symantec recommends that defenders focus on the following forensic artifacts:

  • Process creation logs showing unsigned Go binaries executing from suspicious paths like %TEMP% or %PUBLIC%.
  • WMI event subscriptions registered by non-standard processes.
  • Unusual outbound connections to Microsoft graph.microsoft.com exceeding typical Teams API usage, especially with file upload patterns inconsistent with user behavior.
  • Changes to the Teams desktop configuration file, desktop-config.json, which stores custom settings, to disable certain security features or inject custom libraries.

Moreover, organizations should consider deploying Microsoft’s own Advanced Hunting queries for Microsoft 365 Defender that look for anomalous Graph API usage, such as high-volume search or file creation activities that deviate from a user’s baseline.

Windows-Specific Implications and Hardening

Backdoor.Turn is explicitly designed for Windows 10, Windows 11, and Windows Server environments, leveraging native APIs and the .NET runtime (via Go’s syscall compatibility) to minimize disk footprint. It often arrives as a second-stage payload following exploitation of a vulnerable internet-facing service, such as a VPN appliance or an unpatched Exchange server. Once inside, the backdoor escalates privileges using known Windows exploit kits, including PrintNightmare variations and the HiveNightmare/ServicingStackRights vulnerability, to gain SYSTEM-level access.

For Windows administrators, this incident underscores the importance of closing common attack vectors: timely patch management, disabling unnecessary services, and enforcing Least Privilege Access models. Specifically, organizations should:

  • Implement Attack Surface Reduction (ASR) rules to block process creations originating from Office macros and to prevent Teams.exe from loading untrusted DLLs.
  • Apply the Disable-DisableMsTeamsDllInjection group policy if not already enforced, which prevents third-party apps from injecting into Teams.
  • Use Windows Defender Firewall with advanced security to limit outbound UDP traffic on standard Teams ports (3478, 3479, 3480, and 49152–65535) to only authorized applications and services.
  • Enforce multi-factor authentication and conditional access policies that restrict Teams sign-ins to compliant, managed devices.

Additionally, since the backdoor abuses Graph API permissions, reviewing enterprise application consents and restricting delegated permissions like Group.ReadWrite.All, Files.ReadWrite.All, and TeamsActivity.Send is critical. Attackers often use these permissions to create hidden teams or channels for data exfiltration.

The Broader Threat Landscape: Ransomware and Collaboration Tools

DragonForce’s use of Teams as a C2 conduit is not entirely without precedent. In 2023, threat actors abused Slack webhooks for data exfiltration, and in early 2026, an APT group leveraged Zoom chat to smuggle commands. However, the depth of integration with Microsoft 365 and the use of custom SRTP traffic represents a quantum leap in stealth. It reflects a growing trend where ransomware operators pivot from the traditional “smash and grab” approach to a quieter, more persistent residency that maximizes the chance of successful data theft before encryption.

For the Windows ecosystem, this is a stark reminder that the collaborative tools meant to boost productivity can be turned against their users. Microsoft has been notified and has issued a preliminary advisory, stating that it is investigating the technique and that no product vulnerability has been identified, as the backdoor relies on legitimate functionality. The company emphasized that “abuse of the relay infrastructure is a violation of terms of service and that machine learning models are being tuned to detect such anomalies.” However, the burden remains on defenders to hunt for these threats proactively.

Future Outlook and Defensive Strategies

As ransomware groups continue to innovate, the line between commodity crimeware and advanced persistent threats blurs. Backdoor.Turn is likely a harbinger of similar implants that exploit other M365 services like SharePoint, OneDrive, or even the upcoming Microsoft Loop. Defenders must evolve their monitoring strategies to treat collaboration platforms as critical attack surfaces, not just vector for phishing.

Security teams should embrace the following strategic shifts:

  • Zero Trust Network Architecture: Move away from trusting internal Teams traffic implicitly. Micro-segmentation and continuous verification of all endpoints, even those inside the corporate LAN, can limit lateral movement.
  • AI-Powered Anomaly Detection: Invest in tools that build baseline behavioral profiles for M365 applications and alert on deviations, such as a sudden uptick in reading shared calendars or accessing files from unusual device types.
  • Threat Hunting as a Service: For smaller organizations without dedicated SOCs, outsourcing proactive threat hunts that specifically target living-off-the-land techniques in collaboration tools may prove cost-effective.
  • Employee Training: While social engineering is not the primary delivery mechanism here, educating users to report unusual Teams behavior (e.g., unexpected pop-ups, high CPU usage when idle) can provide early warnings.

Ultimately, the Backdoor.Turn discovery is a call to action for the entire security community. It demonstrates that attackers are willing to invest heavily in understanding the inner workings of widely used platforms and that no legitimate service is immune to misuse. For Windows users and administrators, staying ahead requires not only keeping systems updated but also rethinking how trust is applied to the applications that form the backbone of modern remote work.

Symantec’s Indicator of Compromise list and Yara rules are available to customers, while Security Affairs continues to update its technical analysis of the campaign. Organizations are urged to review their detection capabilities against these new TTPs immediately.