On June 16, 2026, cybersecurity firm Symantec reported a startling discovery: attackers behind the DragonForce ransomware operation have deployed a custom Go-based backdoor, dubbed Backdoor.Turn, which conceals its command-and-control (C2) communications within Microsoft Teams relay traffic. The revelation adds a troubling new dimension to an already sophisticated ransomware group, one that has repeatedly demonstrated an ability to weaponize legitimate cloud services to bypass traditional security controls.

DragonForce is no stranger to the cybersecurity community. The group has previously drawn attention for its use of Bring Your Own Vulnerable Driver (BYOVD) techniques, where attackers exploit signed but vulnerable drivers to gain kernel-level access on compromised systems. That tactic alone underscores the group’s technical sophistication and willingness to push boundaries. Now, with Backdoor.Turn, DragonForce appears to be doubling down on stealth, embedding its C2 channel deep inside the infrastructure of one of the world’s most widely used enterprise collaboration platforms.

What Is Backdoor.Turn?

Backdoor.Turn is a custom backdoor written in the Go programming language—a choice that offers several advantages to attackers. Go compiles to standalone binaries, making it easier to distribute and run across different Windows environments without dependency issues. Its growing popularity in the cybercriminal ecosystem is well documented; Go-based malware often evades signature-based detection due to its statically linked nature and the relative novelty of its runtime artifacts.

Symantec’s analysis reveals that Backdoor.Turn establishes a covert communication channel by hijacking the Microsoft Teams relay system. In a typical Teams deployment, relay servers handle media traffic—such as audio, video, and screen sharing—ensuring smooth peer-to-peer connectivity even across firewalls and NAT boundaries. By injecting its C2 traffic into this same relay stream, the backdoor effectively hides in plain sight. To network defenders, the traffic appears as routine Teams data, blending seamlessly with legitimate business communications.

This technique is particularly insidious because it exploits a trusted cloud service. Security tools that rely on domain reputation, IP blocklists, or application-layer inspection may not flag traffic destined for Microsoft’s Teams infrastructure. After all, Teams domains and IP ranges are almost universally allowed in corporate environments. By riding on that trust, DragonForce avoids the telltale signs that typically accompany C2 beacons—frequent connections to unknown servers, unusual ports, or self-signed certificates.

How the Attack Unfolds

While Symantec has not disclosed every technical detail—likely to prevent immediate copycat attacks—the broad strokes are clear. An initial infection vector delivers Backdoor.Turn onto a target machine. Once executed, the backdoor searches for an active Microsoft Teams session or initiates its own connection to the Teams service. It then encapsulates C2 commands inside the Teams relay protocol, using the same endpoints that the legitimate Teams client would use.

The backdoor can receive commands from operators and exfiltrate data. Commands might include standard reconnaissance (gather system information, list files, capture screenshots), lateral movement instructions, or the deployment of additional payloads—ultimately culminating in the encryption of files and a ransom demand, consistent with DragonForce’s established modus operandi.

Because the C2 channel is bidirectional and woven into real-time media traffic, it benefits from low latency and high reliability. Even if an organization monitors Teams traffic at the network level, distinguishing malicious relays from legitimate ones would require deep packet inspection and a thorough understanding of the Teams protocol—capabilities that most enterprises lack.

The Go Advantage for Attackers

The Go language has become a favorite among malware authors for several reasons. Its compiled binaries often trip fewer heuristic alarms than traditional C/C++ binaries, and its cross-compilation capabilities allow attackers to target Windows, Linux, and macOS with minimal effort. In the case of Backdoor.Turn, the use of Go likely contributed to its initial undetected spread. Additionally, Go’s rich standard library simplifies networking tasks, making it straightforward to implement the specific relay protocol encapsulation required to mimic Teams traffic.

DragonForce’s Track Record of Innovation

DragonForce emerged on the ransomware scene in recent years, quickly gaining notoriety for its aggressive campaigns against organizations in healthcare, finance, and critical infrastructure. The group’s hallmark has been its consistent adoption of advanced techniques. The BYOVD approach, for example, allows attackers to terminate endpoint detection and response (EDR) processes before deploying ransomware, dramatically increasing the likelihood of successful encryption.

Security researchers have observed DragonForce operators moving with speed and precision, often completing an entire attack chain within hours of gaining initial access. This “smash and grab” style, combined with novel evasion methods, has made the group one of the more challenging threats to counter. The introduction of Backdoor.Turn signals that the group is not resting on its laurels; instead, it is actively experimenting with new ways to maintain long-term, stealthy access to compromised environments.

The choice of Microsoft Teams is strategic. Teams has hundreds of millions of daily active users, and its traffic is encrypted and authenticated using industry-standard TLS. This provides a perfect camouflage. Moreover, Teams uses a variety of relay servers—some hosted by Microsoft, others by third-party providers—creating a complex mesh of connections that is difficult to baseline, let alone monitor for anomalies.

Implications for Enterprise Security

The Backdoor.Turn campaign underscores a broader shift in the threat landscape: attackers are increasingly abusing legitimate cloud services for C2. From using Google Drive or Dropbox for file exfiltration to leveraging Slack webhooks for command dispatch, the trend is unmistakable. What sets DragonForce apart is the depth of integration: by embedding inside the real-time communication layer of Teams, the group has reached a new level of obfuscation.

For defenders, the immediate lesson is that visibility into encrypted traffic is no longer a luxury—it is a necessity. Organizations must inspect not just the destination of network flows but also the behavior patterns within allowed services. Anomalous usage of Teams, such as unexpected data volumes during off-hours or connections to unusual relay endpoints, could be a red flag. However, implementing such monitoring without vendor-provided tooling is exceptionally difficult.

Microsoft has not yet issued a public statement regarding the Backdoor.Turn findings. It remains to be seen whether the company will introduce additional telemetry or inspection capabilities in Teams to help customers detect this type of abuse. In the meantime, security teams are left to rely on endpoint detection: monitoring for the presence of unknown Go binaries, unusual process injections into the Teams client, or attempts to load unsigned drivers (a technique often paired with BYOVD).

The Role of BYOVD in DragonForce Attacks

Though Backdoor.Turn is a standalone backdoor, it fits neatly into DragonForce’s broader toolkit. The group’s history with BYOVD drivers suggests a multi-pronged strategy: use a stealthy C2 channel to maintain access, then deploy vulnerable drivers to disable security software when ready to strike. By separating the C2 mechanism from the disruptive payload, attackers make it harder for incident responders to trace the full attack chain.

BYOVD attacks exploit the fact that Windows allows the installation of kernel drivers signed with valid certificates, even if those drivers contain known vulnerabilities. DragonForce has been observed using drivers from software products like CPU-Z or various hardware monitoring tools. Once loaded, these drivers grant the attacker the ability to interact directly with the kernel, bypassing user-mode protections and terminating security processes. The combination of a covert C2 tunnel and kernel-level access is a nightmare scenario for any security operations center.

Detection and Mitigation Strategies

Given the novel nature of Backdoor.Turn, signature-based detection is likely to fall short. Organizations should pivot to behavioral analytics and anomaly detection. Key indicators to watch for include:

  • Unexpected outbound connections from processes associated with Microsoft Teams to new or rarely contacted IP addresses within the Teams relay infrastructure.
  • The presence of Go-compiled binaries in temporary directories or being executed by non-standard parent processes.
  • Loaded drivers that are not part of the standard corporate image or that match known vulnerable driver hashes.
  • An increase in Teams media traffic during times when no meetings are scheduled.

Additionally, employing application control policies—such as Windows Defender Application Control (WDAC) or AppLocker—can help prevent the execution of untrusted Go binaries. Similarly, enforcing driver signing policies that go beyond the default and explicitly block known vulnerable drivers can stymie the BYOVD component of the attack.

Endpoint detection and response (EDR) solutions that provide visibility into process ancestry and network connections are invaluable. Analysts should hunt for processes that inject into the Teams client or that make network connections resembling Teams relay protocols but originating from unexpected sources. Threat intelligence feeds that include indicators of compromise (IOCs) for Backdoor.Turn should be integrated into security information and event management (SIEM) systems as soon as they become available.

The Bigger Picture: Ransomware as a Business

DragonForce’s continued evolution reflects the commercial incentives driving ransomware operations. As cybersecurity defenses improve, attackers must innovate to maintain profitability. The shift to living-off-the-land techniques and abuse of trusted cloud services reduces the overhead associated with maintaining custom infrastructure and lowers the risk of disruption by law enforcement.

By using Microsoft Teams as a conduit, DragonForce not only hides its traffic but also potentially complicates attribution and takedown efforts. If the C2 traffic is indistinguishable from legitimate Teams use, even if a defender detects the backdoor, attributing the campaign to specific servers or operators becomes far more challenging. This builds resilience into the attackers’ operation and extends the lifespan of their campaigns.

The incident also raises questions about the shared responsibility model of cloud security. While Microsoft invests heavily in securing its infrastructure, the manner in which services like Teams can be abused often falls outside the provider’s direct control. Customers are responsible for monitoring their own usage and endpoints. This event may accelerate demand for more sophisticated cloud security posture management (CSPM) tools that can analyze SaaS application behavior for signs of compromise.

What’s Next for DragonForce and Defenders

Symantec’s disclosure will almost certainly trigger a wave of analysis from other security firms, and it’s likely that additional samples or variants of Backdoor.Turn will be uncovered. The Go-based backdoor may be adapted for other collaboration platforms like Slack or Zoom, given the common architectural patterns these services share.

Microsoft’s response will be critical. The company could implement anomaly detection heuristics on its relay servers, or it might provide customers with enhanced logging and alerting capabilities for unusual media session patterns. Until then, the onus is on enterprise defenders to assume that their Teams traffic could be harboring malicious content and to deploy compensating controls.

For their part, DragonForce operators are unlikely to stand still. History shows that when security researchers expose a technique, attackers quickly refine it or develop new ones. Defenders must treat this not as a one-off event but as a harbinger of a new wave of cloud-aware stealth tactics.

In the coming weeks, organizations should prioritize reviewing their Microsoft 365 audit logs, ensuring that Teams client versions are up-to-date, and educating users about the dangers of running unverified executables—still the most common vector for initial compromise. Penetration testing teams might also simulate Backdoor.Turn-like traffic to validate detection rules and response playbooks.

The discovery of Backdoor.Turn is a stark reminder that as the digital battlefield expands into the cloud, so too do the opportunities for creative attackers. DragonForce has once again demonstrated a willingness to exploit every nook and cranny of enterprise ecosystems, and the security community must remain equally creative in its defenses.