How DragonForce Weaponized Microsoft Teams to Outlast Its Own Ransomware

DragonForce ransomware Microsoft Teams https://www.pexels.com/photo/black-and-silver-laptop-computer-8284722/

In a recent attack, threat actors compromised a U.S. services firm’s network using malware tactics unseen prior to this incident. The attackers’ initial access was traced to an unidentified vulnerability in either an SQL or MSSQL server. According to analysis of the incident, it is possible that the network access was purchased outright from a criminal access broker, enabling the attack. The intrusion began quietly in December 2025, and the attackers seemed to be in no rush, lingering within the targeted network for one to two months.

Building a Foothold That Doesn't Look Like One

Once the attackers had gained access to the victim network, they downloaded an archive in a .zip file that carried a legitimate VirtualBox/DbgView executable paired with a malicious sideloaded DLL file, vboxrt.dll. When this file is executed, it downloads malicious code from a list of servers that is then used for various ends, including securing access, carrying out reconnaissance, and evading detection by security measures.

The use of DLL hijacking on the VirtualBox application lets attackers execute code under the cover of a trusted and signed process. This enables the attack to bypass security monitoring tools and achieve code execution with privileged access.

System tampering within the targeted network, such as blank-password access and new user accounts, helps the bad actors secure multiple paths back into the system. The attackers quietly change firewall rules on the network in order to ensure that command-and-control (C2) traffic is able to flow unhindered.

Disarming the House From the Inside

The perpetrators of this attack leveraged a Bring Your Own Vulnerable Driver (BYOVD) campaign to target four separate signed drivers for kernel-level access. A previously undocumented flaw in a Huawei driver was weaponized as a novel “Havoc Process Terminator,” a technique unseen in the wild before this incident. It has, however, been documented as vulnerable by researchers since this attack was carried out.

The attack also exploits three other known vulnerabilities in security and gaming-related drivers-- CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055—for the same purpose. It additionally uses the Abyss Worker driver, a custom malicious driver that impersonates Palo Alto software, adding a layer to the campaign that is rarely seen, even in sophisticated attacks.

The Payload Lands, But the Story Doesn't End

After the attackers conducted reconnaissance and evaded and disabled defenses, they deployed DragonForce ransomware to encrypt targeted systems. The data encryption was accompanied by exfiltration, effectively doubling the pressure placed on the victim. Finally, rather than leaving the network, the threat actors went on to install a new custom backdoor after the ransomware had finished its work.

A Backdoor That Speaks Fluent Teams

A new Go-based remote access backdoor, dubbed Backdoor. TURN, is the most notable aspect of this attack. After installation on targeted machines, it requests an anonymous Teams visitor token from Microsoft’s Skype-backed identity service. A legitimate Microsoft TURN relay server is used to establish the connection, which masks the true destination of the traffic.

The attackers then run a QUIC session to their real C2 server, with the connection hidden behind the Microsoft TURN relay. This technique is the first known abuse of TURN relay infrastructure for malware C2 spotted in the wild. This campaign highlights the ongoing evolution of the threat landscape and threat actors’ dedication to developing more sophisticated attacks.

What the Backdoor Was Built to Do

The backdoor used in this campaign was designed to carry out a wide range of malicious activity. Attackers used it to achieve full hands-on-keyboard control through remote command execution and process creation. They used network scanning and LDAP/Active Directory mapping to support deeper reconnaissance efforts post-ransomware. The backdoor also enabled credential-based lateral movement and browser credential theft, suggesting preparation for a second intrusion or resale of access.

Being able to carry out this extensive activity under the cover of legitimate processes enables attackers to obtain significant access with which they can cause extreme damage. “This evasion grants threat actors network access,” says Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM). “The resulting damage includes system compromise. Attackers use this channel to execute commands, map network directories, steal user credentials, and exfiltrate data without triggering alerts.”

A Cartel, Not a Crew

DragonForce ransomware has evolved from a standard ransomware-as-a-service model into a more formalized, cartel-like structure. This campaign, pairing a zero-day evasion technique with a novel C2 channel, signals a level of resourcing that is unusually deep among similar attacks. This case reframes post-ransomware activity as a defender blind spot, as trusted collaboration platforms are now being shown to double as covert infrastructure in attacks in the wild.

Author
  • Contributing Writer, Security Buzz
    PJ Bradley is a writer from southeast Michigan with a Bachelor's degree in history from Oakland University. She has a background in school-age care and experience tutoring college history students.