INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
DragonForce Ransomware Abuses Microsoft Teams for Hidden Malicious Traffic
| 2026-06-18 12:34 CRITICAL HIGHExecutive Summary AI-generated
Cybercriminals linked to the DragonForce ransomware group have recently compromised a US services firm by abusing Microsoft Teams' relay infrastructure, using this setup as an initial foothold in their network. This marks a significant shift for these extortion groups, which previously relied on more traditional methods like smash-and-grab attacks. The attackers gained access through exploited vulnerabilities in three documented driver software: Topaz Antifraud, Tower of Fantasy, and K7 Security Anti-Malware. By leveraging custom-built backdoors built into the DragonForce ransomware, they were able to keep their activity hidden inside trusted business traffic until it was time to deploy the malware. This sophisticated attack highlights the evolving tactics used by these groups as they adapt to changing security measures.
Technical Mitigations AI-generated
* Implement a "Traffic Filtering" approach to monitor and block suspicious traffic patterns, including those that may be indicative of malicious activity.
* Utilize Network Segmentation and Isolation techniques to limit the spread of malware within an organization's network, making it more difficult for attackers to hide their malicious activities.
* Regularly update and patch Microsoft Teams relay infrastructure components, as well as any dependent software or services, to prevent exploitation of known vulnerabilities.
* Conduct regular security awareness training among employees on how to identify and report suspicious activity, including unusual traffic patterns or anomalies in Microsoft Teams communication.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Scattered SpiderScattered Spider
CarbonCarbonHavocHavoc
CVE-2023-52271CVE-2023-52271
CVE-2025-1055CVE-2025-1055
CVE-2025-61155CVE-2025-61155
Target & Sectors
Global Scope
defensedefense
Incident Timeline
2025/06/16
Praetorian exploited Microsoft Teams' ability to hide malicious activity by hijacking temporary TURN credentials.
December 2025
The attackers used a new tool called Havoc Process Terminator to exploit a Huawei audio driver, specifically HWAudioOs2Ec.sys.
Click on any entity below to view its context and source!
source_region
United States
The researchers said this “appears to be the first malware family to abuse the TURN relay infrastructure in this way.”
How the attackers gained access
The attackers gained an initial foothold in the US company’s network in December 2025.
organisation
DragonForce
DragonForce attacks
The attack, observed in December 2025, began likely with the exploitation of an unknown flaw in an SQL or MSSQL server, Symantec notes.
The next step, as per the company’s
blog post
, the attackers stole confidential files and encrypted systems using DragonForce ransomware.
organisation
SQL
DragonForce attacks
The attack, observed in December 2025, began likely with the exploitation of an unknown flaw in an SQL or MSSQL server, Symantec notes.
Researchers said the intrusion most likely began with the exploitation of an unknown vulnerability in an SQL or MSSQL server, although they also noted that access may have been purchased from an initial access broker.
organisation
Bypassing
Bypassing defences and deploying ransomware
The attackers remained inside the company’s network for one to two months before deploying ransomware.
organisation
CVE-2023-52271
They also exploited three documented driver vulnerabilities
CVE-2023-52271
in Topaz Antifraud,
CVE-2025-61155
in Tower of Fantasy, and
CVE-2025-1055
in K7 Security Anti-Malware.
organisation
CVE-2025-61155
They also exploited three documented driver vulnerabilities
CVE-2023-52271
in Topaz Antifraud,
CVE-2025-61155
in Tower of Fantasy, and
CVE-2025-1055
in K7 Security Anti-Malware.
organisation
K7 Security
They also exploited three documented driver vulnerabilities
CVE-2023-52271
in Topaz Antifraud,
CVE-2025-61155
in Tower of Fantasy, and
CVE-2025-1055
in K7 Security Anti-Malware.
organisation
DLL
After gaining access, the attackers used
DLL sideloading
to execute malicious code.
organisation
VirtualBox
In this case, they abused a legitimate VirtualBox executable to load a malicious DLL, allowing the malware to run through a trusted process and avoid immediate detection.
organisation
Huawei
Researchers said the attackers used a new tool called Havoc Process Terminator to exploit a Huawei audio driver, tracked as
HWAudioOs2Ec.sys
.
organisation
Palo Alto Networks
In addition, they used Abyss Worker, a malicious driver that masqueraded as a Palo Alto Networks security component.
organisation
Shane Barney
Shane Barney, Chief Information Security Officer at Keeper Security, emphasised the danger of implicit corporate trust.
organisation
Keeper Security
Shane Barney, Chief Information Security Officer at Keeper Security, emphasised the danger of implicit corporate trust.
2026/06/18
The group used Microsoft Teams to hide their malware activity while targeting victims.
Click on any entity below to view its context and source!
tactic
Ransomware
The researchers also described the group as one of the most capable and persistent ransomware operations active today.
2026/06/18
The attackers used Microsoft Teams relays to hide malicious traffic by obtaining anonymous visitor tokens and using legitimate servers for routing.
Click on any entity below to view its context and source!
organisation
Microsoft Teams
Cybercriminals linked to the
DragonForce ransomware group
recently compromised a US services firm and concealed their malicious traffic by abusing Microsoft Teams’ relay infrastructure.
Ransomware gang abuses Microsoft Teams relays to hide malicious traffic.
organisation
Ransomware
Ransomware gang abuses Microsoft Teams relays to hide malicious traffic.
threat_actor
Scattered Spider
DragonForce is a
ransomware operation
active since at least 2023, that adopted a cartel-style organizational structure and has been linked to the infamous Scattered Spider threat group.
organisation
Broadcom’s Symantec
According to research from Broadcom’s Symantec and Carbon Black threat hunter teams, the attackers used a newly identified, custom-built backdoor to keep their activity hidden inside trusted business traffic.
organisation
CVE-2023-52271
Next, they used BYOVD techniques with multiple drivers such as Huawei’s HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys
organisation
K7 Security
Next, they used BYOVD techniques with multiple drivers such as Huawei’s HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys
organisation
Next
Next, they used BYOVD techniques with multiple drivers such as Huawei’s HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys
organisation
Microsoft
Turn
first obtains an anonymous Microsoft Teams visitor token, then uses Microsoft’s TURN relay infrastructure to route traffic through legitimate Microsoft servers before connecting to the attackers’ command-and-control server.
organisation
DLL
Once the attacker established a foothold, they downloaded a ZIP archive containing a legitimate VirtualBox/DbgView executable and a malicious DLL file used for sideloading.
organisation
VirtualBox/DbgView
Once the attacker established a foothold, they downloaded a ZIP archive containing a legitimate VirtualBox/DbgView executable and a malicious DLL file used for sideloading.
organisation
Huawei’s HWAuidoOs2Ec.sys
The researchers also highlight the exploitation of Huawei’s HWAuidoOs2Ec.sys driver ("Havoc Process Terminator"), which is used for evasion in Bring Your Own Vulnerable Driver (BYOVD) tactics.
infrastructure
Windows
At this stage, the attacker strengthened their persistence, created rogue users, abused the LimitBlankPassword security policy in Windows for easy access, and modified firewall rules.
organisation
LimitBlankPassword
At this stage, the attacker strengthened their persistence, created rogue users, abused the LimitBlankPassword security policy in Windows for easy access, and modified firewall rules.
organisation
NAT
The backdoor abuses the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to distribute messages when a direct connection to the client is unavailable (e.g., clients on a private network).
organisation
Teams' TURN
Turn abuses Teams' TURN infrastructure by obtaining an anonymous Teams visitor token, using a legitimate Microsoft TURN relay during connection setup, and then connecting to the attacker's command-and-control (C2) server.
organisation
Teams
Turn abuses Teams' TURN infrastructure by obtaining an anonymous Teams visitor token, using a legitimate Microsoft TURN relay during connection setup, and then connecting to the attacker's command-and-control (C2) server.
organisation
Microsoft TURN
Turn abuses Teams' TURN infrastructure by obtaining an anonymous Teams visitor token, using a legitimate Microsoft TURN relay during connection setup, and then connecting to the attacker's command-and-control (C2) server.
organisation
Microsoft Teams TURN
Turn is the first known in-the-wild malware to abuse Microsoft Teams TURN relays for command-and-control communications.
organisation
Microsoft Teams'
Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams' TURN relay servers to mask command-and-control traffic,”
Symantec says
.
organisation
ABYSSWORKER
The hacker also used ABYSSWORKER, a custom malicious driver masquerading as a legitimate Palo Alto driver.
organisation
LDAP/Active Directory
Its capabilities include command execution, process creation, network scanning, TLS certificate capturing, LDAP/Active Directory searching, website title collection, and browser credential theft.
organisation
EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
At this stage, the attacker strengthened their persistence, created rogue users, abused the LimitBlankPassword security policy in Windows for easy access, and modified firewall rules.
Intelligence Sources
BleepingComputer
2026-06-16
HackRead
2026-06-18
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:04
Comprehensive Tactical Telemetry
Highly Correlated Entities
29x
organisation
Identified Entity
Microsoft Teams
entity
4x
timeline
Temporal Reference
December 2025
date
3x
tactic
Cyber Operation Type
Ransomware
tactic
3x
vulnerability
Exploited CVE
CVE-2023-52271
cve
2x
malware
Malware Payload
Carbon
tool
2x
general metric
%
54
%
Contextual Telemetry
Context Block
7 METRICS
source region
Origin Country
United States
country
industry
Targeted Sector
Defense
sector
attribution
Attributing Entity
Threat Intelligence Security
authority
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
general metric
Cve-2023
52,271
cve-2023
threat actor
APT Group
Scattered Spider
actor
infrastructure
Affected Product
Windows
software
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.