A Go-based backdoor dubbed Backdoor.Turn is being deployed by the DragonForce ransomware group, which now uses Microsoft Teams relay servers for command-and-control (C2) communication. This new technique allows the ransomware group to conceal malicious traffic within legitimate Microsoft infrastructure, making detection by traditional network security challenging. Meanwhile, CISA has added several new critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including flaws in Cisco Catalyst SD-WAN Manager, LiteSpeed cPanel Plugin, and Joomla's Widget Factory, demanding immediate patching by federal agencies and critical infrastructure. Ransomware groups developing custom, evasive C2 methods alongside persistent exploitation of known vulnerabilities requires advanced threat detection and rigorous patch management.
What Happened
The DragonForce ransomware group unveiled a novel attack technique, deploying Backdoor.Turn, a custom Go-based backdoor that uniquely abuses Microsoft Teams relay servers for C2 communications, as reported by SecurityWeek. This method embeds C2 traffic within normal Teams network activity, significantly complicating detection efforts. The attack, identified by Broadcom's Symantec and Carbon Black threat hunter teams, targeted a US services firm, with initial access likely gained via an unknown vulnerability in an SQL or MSSQL server. The group gained access to the victim network in December 2025, utilizing DLL sideloading for code execution, establishing persistence, and conducting extensive reconnaissance before deploying Backdoor.Turn. This malware operates by first acquiring an anonymous Teams visitor token from Microsoft's Skype-backed identity services, then routes C2 traffic through a legitimate Microsoft TURN (Traversal Using Relays around NAT) relay to establish a QUIC session with the attacker's actual C2 server. This marks a notable evolution, as researchers note it is "relatively unusual to see ransomware attackers using their own custom tools, and it is particularly unusual to see them using a custom tool as sophisticated as Backdoor.Turn."
In parallel, CISA updated its Known Exploited Vulnerabilities (KEV) Catalog with several critical entries. These include CVE-2026-20262, a Cisco Catalyst SD-WAN Manager directory or path traversal vulnerability, and CVE-2026-54420, a LiteSpeed cPanel Plugin UNIX symbolic link following vulnerability, both added on June 15, 2026. Additionally, CVE-2026-48907, a Widget Factory Joomla Content Editor improper access control vulnerability, was added on June 16, 2026. Google also released an emergency update for CVE-2026-11645, a high-severity Chrome V8 JavaScript engine zero-day, which is the fifth such flaw exploited this year, as detailed by socprime. Microsoft acknowledged it is working on a patch for CVE-2026-50656, a local elevation of privilege zero-day in Microsoft Defender, publicly disclosed by researcher 'Nightmare Eclipse', according to HelpNetSecurity. Evanston Township High School in Illinois suffered a ransomware incident, forcing closure and system disruption, as reported by BleepingComputer. The school has not confirmed the nature or extent of the disruption, or the specific ransomware group involved.
Why It Matters
DragonForce's use of Microsoft Teams relay servers for C2 bypasses traditional perimeter defenses that rely on whitelisting legitimate services. By piggybacking on Microsoft's trusted infrastructure, Backdoor.Turn makes discerning malicious from benign traffic incredibly difficult, creating a significant blind spot for many organizations. Most security teams aren't scrutinizing encrypted Teams traffic for anomalous C2 patterns because it's assumed safe.
The simultaneous addition of multiple CVEs to CISA's KEV Catalog confirms active exploitation, meaning these are immediate attack vectors used in the wild right now. For federal agencies, the stipulated patching deadlines are non-negotiable; every organization running these systems faces the same risk. The constant stream of browser and endpoint zero-days, like CVE-2026-11645 in Chrome and CVE-2026-50656 in Defender, shows the continuous pressure on security teams to patch constantly and monitor for emerging threats. This quickly changing threat landscape requires a shift from reactive patching to proactive, deep inspection across all network layers, including trusted application traffic.
Affected Scope & Remediation
Organizations relying on Microsoft Teams for communication are implicitly within the potential scope of DragonForce's new C2 technique, as the abuse leverages legitimate functionality. While Microsoft Teams itself isn't vulnerable, the traffic it generates can be weaponized to hide C2. This means any enterprise using Teams needs to rethink how they monitor internal and egress traffic. For the KEVs, organizations running affected Cisco, LiteSpeed, or Joomla components are immediately exposed to active exploitation.
To counter Backdoor.Turn, traditional network firewalls and proxies that only allow legitimate Microsoft Teams domains won't prevent compromise. Focus on endpoint detection and response (EDR) solutions like CrowdStrike Falcon or SentinelOne to identify the Go-based backdoor's execution and its suspicious activity, regardless of the C2 channel. These tools can flag anomalous process behavior, DLL sideloading, and persistence mechanisms. Also, analyze DNS requests for unusual patterns and look for QUIC sessions establishing connections to non-Microsoft IPs via TURN relays.
For the CISA KEVs, patch immediately:
- CVE-2026-20262: Cisco Catalyst SD-WAN Manager users must apply the latest security updates. The federal patch due date is June 30, 2026.
- CVE-2026-54420: LiteSpeed cPanel Plugin users should update their plugins to the latest secure versions. The federal patch due date is June 30, 2026.
- CVE-2026-48907: Joomla Widget Factory users need to apply the specific patch addressing improper access control. The federal patch due date is July 1, 2026.
- CVE-2026-11645: Chrome users should update to the latest stable version immediately. This typically happens automatically, but a manual check is always wise.
- CVE-2026-50656: While Microsoft is still working on a patch, monitor official Microsoft advisories closely and ensure Microsoft Defender is configured for automatic updates. Consider temporarily implementing additional endpoint monitoring for unusual Defender process activity or privilege escalation attempts until a patch is released.
Here's a summary of affected software and remediation actions:
| Product | Version Range | Fixed Version |
|---|---|---|
| Cisco Catalyst SD-WAN Manager | All unpatched versions | Apply vendor's latest security update |
| LiteSpeed cPanel Plugin | All unpatched versions | Update to vendor's latest version |
| Joomla Widget Factory | All unpatched versions | Apply vendor's latest security update |
| Google Chrome | All unpatched versions of V8 JavaScript engine |
Update to Chrome 114.0.5735.90 (Windows, Mac) or 114.0.5735.90/91 (Linux) or later |
| Microsoft Defender | All unpatched versions susceptible to CVE-2026-50656 | Awaiting vendor patch; monitor for official updates |
Patch Links:
- CVE-2026-20262 NVD Entry | CISA KEV Entry
- CVE-2026-54420 NVD Entry | CISA KEV Entry
- CVE-2026-48907 NVD Entry | CISA KEV Entry
- CVE-2026-11645 NVD Entry | Google Chrome Release Notes (refer to socprime for context)
- CVE-2026-50656 NVD Entry | Microsoft Advisory (expected soon, refer to HelpNetSecurity for context)
Technical Breakdown
The Backdoor.Turn malware is a clever piece of engineering that turns a legitimate service into a covert communications channel. Instead of directly connecting to a suspicious IP, Backdoor.Turn uses Microsoft Teams' existing infrastructure as a relay. The malware first acquires an anonymous Teams visitor token from Microsoft's identity services. This token authenticates it as a legitimate, albeit unprivileged, Teams client. Then, instead of joining a call, it uses a Microsoft TURN relay server – a component designed to help clients behind NAT traverse firewalls for real-time communication. By establishing a QUIC session through this TURN relay, Backdoor.Turn effectively tunnels its C2 traffic to the attacker's actual server, disguised as legitimate Teams media traffic. This bypasses common network security controls that would otherwise block unknown or suspicious outbound connections.
This attack maps to several MITRE ATT&CK techniques:
- T1190 Exploit Public-Facing Application: Initial access via an unknown vulnerability in an SQL or MSSQL server.
- T1071 Application Layer Protocol: The core of the attack, using the Teams application layer protocol (specifically TURN and QUIC) for C2.
- T1027 Obfuscated Files or Information: The use of custom, Go-based malware and DLL sideloading helps evade detection.
- T1486 Data Encrypted for Impact: The ultimate goal of DragonForce is ransomware deployment.
From a NIST SP 800-53 perspective, this C2 technique challenges several controls:
- SC-7 Boundary Protection: Traditional boundary controls struggle when malicious traffic masquerades as legitimate application traffic to trusted Microsoft domains.
- SI-4 System Monitoring: Requires highly granular system monitoring and anomaly detection, beyond simple port/protocol filtering, to identify unusual behavior on endpoints.
- SI-3 Malicious Code Protection: Highlights the need for advanced malware detection capable of identifying custom, fileless, or memory-resident threats like Backdoor.Turn that evade signature-based detection.
The use of QUIC for C2 is particularly concerning because its encrypted and stream-multiplexed nature makes deep packet inspection difficult without decryption at scale, which is often impractical for legitimate services.
Historical Context
The abuse of legitimate services for C2 isn't new, but DragonForce's use of Microsoft Teams relay servers for Backdoor.Turn marks an escalation in sophistication. Back in 2021, the SolarWinds supply chain attack, attributed to Nobelium (APT29), famously used legitimate cloud services, including Microsoft 365, to host C2 traffic and exfiltrate data, blending in with normal organizational traffic. Attackers established persistent access and communicated with their C2 via authorized domains, often using DNS queries or HTTP requests to cloud APIs that were already whitelisted.
What's similar is the reliance on blending in with trusted communications and infrastructure, making detection a "needle in a haystack" problem. Both instances bypassed traditional perimeter defenses. What's different, however, is the specificity of DragonForce's technique: targeting the real-time communication stack of Microsoft Teams via TURN relays and QUIC sessions. While SolarWinds C2 often mimicked general cloud API calls, Backdoor.Turn specifically subverts a core mechanism of a widely used collaboration tool, operating at a lower, more fundamental protocol level of that service. This is a targeted subversion of a feature, rather than just piggybacking on generic cloud traffic. The development of custom Go-based tooling, as seen with DragonForce, also echoes the capabilities of highly sophisticated groups like Conti (active around 2021-2022), which also heavily invested in custom malware and infrastructure to maintain operational security and evade detection.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Malware Type | Backdoor |
SecurityWeek |
| Initial Access Vector | SQL/MSSQL Vulnerability |
SecurityWeek |
| CISA KEV Additions (June 10-17, 2026) | 3 |
CISA |
| Chrome Zero-Days (YTD 2026) | 5 |
socprime |
| DragonForce Active Since | 2023 |
SecurityWeek |
The CVEDaily Take
DragonForce's Teams C2 represents a significant shift in evasion, exploiting trust in ubiquitous platforms. Perimeter defenses are increasingly insufficient. Kernel-level telemetry, advanced EDR, and behavioral analytics are now paramount, as traffic to legitimate domains cannot be assumed benign. We think that many organizations, despite using EDR, are not adequately configuring it to detect this kind of application-layer subversion, especially within Microsoft's ecosystem. Has your team audited egress firewall policies for anomalous traffic patterns to legitimate Microsoft domains, beyond basic port and protocol checks, since this technique was reported?
FAQ
Q1: What makes the DragonForce C2 method so hard to detect?
A1: The DragonForce C2 method is challenging to detect because Backdoor.Turn hides its command-and-control traffic within legitimate Microsoft Teams network activity. It uses trusted Microsoft TURN relay servers and QUIC sessions, which appear as normal Teams media traffic, bypassing traditional firewalls and proxies that whitelist Microsoft domains.
Q2: How does Backdoor.Turn obtain a Teams visitor token?
A2: Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft's Skype-backed identity services. This token grants it a basic level of authentication within the Teams ecosystem, allowing it to use legitimate Microsoft infrastructure for its C2 operations without full user credentials.
Q3: Are Microsoft Teams relay servers inherently vulnerable?
A3: No, Microsoft Teams relay servers (specifically TURN servers) are not inherently vulnerable; they are legitimate components designed to facilitate real-time communication. The DragonForce group abuses their intended functionality by using them as a covert tunnel for C2, rather than exploiting a flaw in the servers themselves.
