579+
confirmed DragonForce victims as of June 2026
2 months
dwell time inside a U.S. firm before deploying ransomware
4
BYOVD vulnerable drivers used to disable EDR tools
$15M+
minimum annual revenue DragonForce requires in targets

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

DragonForce ransomware spent two months inside a major U.S. services company in late 2025 before deploying encryption, hiding every command-and-control communication inside Microsoft Teams relay infrastructure to evade detection. Symantec disclosed the technique on June 16, 2026, revealing a custom Go-based backdoor called Backdoor.Turn that makes C2 traffic appear as legitimate Microsoft collaboration traffic to every network security tool currently deployed.

DragonForce ransomware Microsoft Teams C2 abuse is the first confirmed malware to exploit the TURN (Traversal Using Relays around NAT) protocol used by Teams for connectivity in restricted network environments. The group entered via an unpatched Microsoft SQL Server vulnerability, then spent weeks using four Bring Your Own Vulnerable Driver (BYOVD) techniques to terminate endpoint detection tools before deploying Backdoor.Turn for persistence and data exfiltration. The final ransomware payload arrived after two months of undetected reconnaissance.

Backdoor.Turn acquires an anonymous Teams visitor token from the Skype-backed identity service, uses that token to connect to a legitimate Microsoft TURN relay, and tunnels a QUIC session through the relay to the attacker's real command-and-control server. Security teams monitoring for suspicious outbound connections will see nothing but verified Microsoft IP addresses. Symantec confirmed active exploitation against a named U.S. organization in December 2025.

DragonForce has accumulated 579 confirmed victims since its June 2023 launch and exclusively targets organizations with annual revenues above $15 million across manufacturing, construction, IT, healthcare, and retail. If your organization runs Microsoft Teams, operates any unpatched SQL Server or public-facing management interface, and has not deployed detection for BYOVD driver abuse, today's Symantec disclosure describes an attack chain that can compromise your environment without generating a single suspicious network alert.

How Does DragonForce's Backdoor.Turn Microsoft Teams C2 Attack Work?

DragonForce's attack chain begins with initial access, escalates through BYOVD driver abuse, and culminates in a C2 channel that blends into legitimate Teams traffic before ransomware encryption.

Initial access exploited an unpatched SQL Server vulnerability in the U.S. victim environment. Symantec notes possible involvement of an access broker to acquire the initial foothold. Once inside, the threat actor downloaded additional tools from 192.36.27[.]51, including TechSupV18Fix3.zip.

Persistence and privilege escalation relied on DLL sideloading. The attackers dropped a malicious vboxrt.dll alongside a legitimate VirtualBox executable (DbgView64.exe), causing the target process to load attacker-controlled code. They then modified the Windows LimitBlankPassword policy, created malicious user accounts, and altered firewall rules to maintain access across reboots.

Defense evasion used four separate BYOVD techniques in a sequence known as a "Havoc Process Terminator" attack:

  • Huawei HWAuidoOs2Ec.sys (novel technique, not previously seen in exploitation campaigns)
  • Topaz Antifraud wsftprm.sys (CVE-2023-52271)
  • Tower of Fantasy GameDriverx64.sys (CVE-2025-61155)
  • K7 Security Anti-Malware K7RKScan.sys (CVE-2025-1055)

A fifth driver, ABYSSWORKER, is a custom malicious kernel driver that masquerades as a legitimate Palo Alto Networks driver to disable security tooling at ring-0 level. This mirrors the AI-assisted ransomware EDR evasion toolkits documented in other active campaigns this year.

Command and control via Backdoor.Turn is the novel capability in this attack. The backdoor requests a visitor token from Microsoft's Skype-backed identity services, uses that token to interact with Teams-associated TURN relay infrastructure, and then establishes a QUIC session to the attacker's actual C2 server. The entire C2 channel traverses legitimate Microsoft IP space. Backdoor.Turn's capabilities include command execution, process creation, network scanning, TLS certificate capture, LDAP and Active Directory enumeration, lateral movement via stolen credentials, and browser credential theft. The backdoor was deployed after the ransomware encryption, suggesting it is intended for persistent re-access to already-compromised organizations.

Active Targeting Evidence: 579 Victims Across 5 Industries

DragonForce has claimed 579 confirmed victims since its June 2023 launch, with activity accelerating sharply after RansomHub's collapse in 2025 caused a significant migration of affiliates to competing RaaS platforms.

The group posted its peak victim count of 35 in December 2025, the same month the Backdoor.Turn attack on the U.S. services company was conducted. From December 2023 through January 2026, 363 organizations appeared on the DragonForce data leak site. From January to June 2026, the count reached 579, indicating roughly 216 additional victims in under six months.

DragonForce targets organizations with annual revenues above $15 million and focuses affiliate activity on manufacturing, construction, IT services, healthcare, and retail. The group does not pursue opportunistic low-value targets. Each affiliate pays 0% to 23% of ransom proceeds to the DragonForce cartel operation, substantially below the 20% standard fee charged by most RaaS platforms, making it attractive to experienced operators targeting high-value organizations.

The DragonForce ransomware campaign's most public confirmed attack was the breach of UK retailer Marks & Spencer (M&S) in 2025, carried out via the Scattered Spider threat group operating DragonForce tooling. The M&S CEO received direct ransom demands. The attack caused significant disruption to the retailer's online operations, payment systems, and internal HR platforms across the United Kingdom.

The Netherlands saw a surge of DragonForce victims in May 2026, with the group claiming more than half of all Dutch ransomware victims in a single month. This geographic expansion beyond its historical concentration in English-speaking markets signals active affiliate recruitment and campaign scaling. Sector targeting matches the profile of organizations in RaaS franchise operations like The Gentlemen ransomware: mid-market to enterprise, with identifiable publicly exposed edge infrastructure.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

DragonForce TTP Breakdown Mapped to MITRE ATT&CK

DragonForce's attack against the U.S. services firm maps across the full MITRE ATT&CK framework from initial access through impact, with novel techniques at the defense evasion and command-and-control phases.

Initial Access (T1190): Exploitation of a public-facing SQL or MSSQL server vulnerability. Exact CVE not publicly attributed. Possible access broker involvement.

Execution (T1059): Backdoor.Turn provides arbitrary command execution and process creation on compromised hosts via the QUIC-tunneled TURN relay channel.

Persistence (T1547, T1136): Modified LimitBlankPassword Windows registry policy, created new user accounts and groups, altered firewall rules, deployed Backdoor.Turn as a Windows service named "TeamsMediaRelay."

Privilege Escalation and Defense Evasion (T1068, T1014, T1574.002): Four BYOVD drivers plus custom ABYSSWORKER kernel driver terminate EDR processes at ring-0. DLL sideloading via malicious vboxrt.dll injected through legitimate VirtualBox and DbgView processes.

Discovery (T1069, T1087, T1018, T1046): LDAP and Active Directory searches enumerate all domain users and groups. Network scanning identifies lateral movement targets. TLS certificate collection maps external infrastructure.

Credential Access (T1555.003): Browser credential theft via Backdoor.Turn capabilities targeting stored passwords in Chrome, Edge, and Firefox.

Lateral Movement (T1021): Credential-based domain traversal using stolen credentials from browser vaults and LDAP enumeration.

Command and Control (T1071.001, T1572): Backdoor.Turn's TURN relay abuse sends all C2 through legitimate Microsoft IP ranges. QUIC protocol tunneling on the TURN relay connection makes protocol-based detection ineffective.

Impact (T1486): DragonForce ransomware locker deployed post-reconnaissance for domain-wide encryption.

The behavioral profile of the BYOVD sequence closely matches techniques documented in the Windows Netlogon RCE domain controller attack chain, where attackers use driver-level access to disable monitoring before lateral movement through domain infrastructure.

Backdoor.Turn represents the first known malware to implement the TURN relay C2 technique in the wild. The group obtained a legitimate Microsoft visitor token and used Microsoft's own relay infrastructure to mask every byte of C2 traffic.

Symantec Threat Intelligence, June 16, 2026

Backdoor.Turn IOCs: File Hashes, C2 Domains, and Network Indicators

Security teams should ingest all indicators below into SIEM, EDR, network detection, and threat intelligence platforms immediately. These indicators were published by Symantec on June 16, 2026, and represent confirmed artifacts from the December 2025 attack against a U.S. services organization.

Behavioral detection priority: Hunt for any Windows service named "TeamsMediaRelay" installed outside of your sanctioned IT change management process. Any instance is a confirmed Backdoor.Turn installation. Outbound TCP connections from within Teams.exe to Microsoft's known IP ranges on non-standard ports (not 443 or 80) indicate active C2 activity. RWX (read-write-execute) memory pages within the Teams.exe process space are an injection indicator.

Registry artifact: Unusual modification to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services: specifically a new service entry for "TeamsMediaRelay" with an executable path pointing to a non-standard location.

C2 infrastructure note: The listed C2 domains are attacker-controlled redirect targets, not Microsoft infrastructure. Traffic will appear to originate from legitimate Microsoft TURN relay IPs before reaching these domains.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Sector-Specific Risk: Is Your Organization a DragonForce Target?

DragonForce selects targets with deliberate criteria, not opportunistic mass scanning. The revenue threshold of $15 million annually filters out small businesses but places mid-market companies squarely in the primary target band alongside enterprises.

Manufacturing faces the highest confirmed victim concentration in the DragonForce data leak site. Operational technology environments typically have longer patching cycles and more legacy systems, creating a broader attack surface. A successful DragonForce intrusion in manufacturing can halt production lines, lock engineering workstations, and encrypt operational data needed for safety systems.

Healthcare organizations present both revenue targets and high ransom payment incentive. Patient care systems create pressure for rapid ransom payment decisions. DragonForce affiliates specifically seek healthcare organizations where operational disruption creates clinical risk, increasing leverage.

IT services and managed service providers (MSPs) represent multiplier targets: a single MSP compromise can provide access to dozens of downstream client environments. The SimpleHelp RMM exploitation campaign DragonForce ran in early 2025 demonstrated this approach, using a vulnerable remote monitoring tool to pivot through MSP infrastructure into client networks.

Retail entered DragonForce's confirmed targeting with the M&S attack and subsequent Netherlands surge in May 2026. Retail organizations carry high volumes of customer payment card data, health and contact information, and loyalty program databases that command high values on dark web markets.

Your immediate exposure checklist:

  • Do you run any public-facing SQL Server or MSSQL endpoints?
  • Has your organization deployed Microsoft Teams across all employee endpoints?
  • Are your BYOVD driver-capable detection rules current for Topaz, Tower of Fantasy, K7, and Huawei drivers?
  • Can you detect a new Windows service named "TeamsMediaRelay" being installed on any endpoint?
  • Are your EDR exclusions audited for attacker-added entries?

Immediate Defensive Steps to Block Backdoor.Turn and DragonForce

The following steps address the specific attack chain components Symantec confirmed in the December 2025 intrusion. Complete all steps before end of day.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why DragonForce Ransomware Microsoft Teams Abuse Matters for Your Organization

DragonForce's Backdoor.Turn changes the threat model for every organization that has deployed Microsoft Teams. The assumption that outbound network monitoring can catch C2 communications by detecting connections to known-malicious infrastructure no longer holds when the C2 channel rides on legitimate Microsoft TURN relay IP addresses.

Three capabilities enabled by Backdoor.Turn that defenders did not face before this disclosure: First, full C2 functionality including command execution, network scanning, AD enumeration, and lateral movement through a channel that will never appear in threat intelligence feeds as malicious infrastructure. Second, persistence via a legitimate-looking Windows service that survives reboots and generates no suspicious file system activity. Third, dwell times measured in months before detection, because there are no suspicious outbound connections to alert on.

The DragonForce ransomware campaign's 579 confirmed victims represent the minimum observable number. Organizations whose data has been exfiltrated but who have not yet received a ransom demand, and organizations where Backdoor.Turn is deployed for re-access after a prior paid ransom, will not appear in published victim counts.

The immediate defensive priority is behavioral detection. Network indicators will not catch Backdoor.Turn. Endpoint behavioral indicators: the TeamsMediaRelay service, RWX pages in Teams.exe, unusual LDAP queries from Teams-associated processes: are the detection surface that matters. Load the IOCs from this post into your SIEM and EDR platforms today. Run the service hunt across your endpoint fleet before the end of the business day. DragonForce's operators have spent months demonstrating that 1-2 month dwell times are achievable when detection relies on network monitoring alone.

The bottom line

DragonForce ransomware's Backdoor.Turn hides C2 traffic inside Microsoft Teams relay infrastructure, giving the group confirmed dwell times of up to two months on victim networks before ransomware deployment. With 579 confirmed victims since June 2023 and active attacks against manufacturing, healthcare, retail, and IT sectors through June 2026, this campaign reaches any organization running Teams with annual revenue above $15 million. Three actions to complete today: hunt for any Windows service named "TeamsMediaRelay" across all endpoints; block the confirmed BYOVD driver CVEs and ABYSSWORKER hashes at kernel level; and ingest the 10 confirmed C2 domains and IPs from this post into your SIEM and edge firewall. Behavioral detection is the only reliable control: network monitoring alone will not catch this threat.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is DragonForce ransomware?

DragonForce ransomware is a ransomware-as-a-service (RaaS) operation launched in June 2023 that targets organizations with annual revenues above $15 million across manufacturing, construction, IT, healthcare, and retail. The group operates a cartel-style franchise where affiliates deploy DragonForce tooling and pay 0% to 23% of ransom proceeds to the core operation. As of June 2026, DragonForce has accumulated 579 confirmed victims and is linked to the Scattered Spider threat group responsible for the 2025 Marks & Spencer cyberattack.

How does Backdoor.Turn hide inside Microsoft Teams?

Backdoor.Turn acquires an anonymous visitor token from Microsoft's Skype-backed identity service, uses that token to connect to a legitimate Microsoft TURN (Traversal Using Relays around NAT) relay server, and then tunnels a QUIC protocol session through the relay to the attacker's actual command-and-control server. All C2 traffic traverses legitimate Microsoft IP addresses, making it indistinguishable from normal Teams connectivity. Symantec confirmed this is the first malware to exploit Microsoft Teams TURN relay infrastructure in the wild.

How many organizations has DragonForce attacked?

DragonForce has claimed 579 confirmed victims on its data leak site as of June 2026, up from 363 between December 2023 and January 2026. The group's peak activity month was December 2025, when 35 victims were published in a single month. The actual number of compromised organizations is higher, as victims who pay ransom before their data is published, or who have been breached but not yet received demands, do not appear in public counts.

Is there a patch for the Backdoor.Turn attack vector?

No single vendor patch closes the Backdoor.Turn attack surface because the technique abuses legitimate Microsoft Teams infrastructure rather than exploiting a vulnerability in Teams itself. Microsoft has not announced changes to the TURN relay token issuance process. Defense requires endpoint behavioral detection of the TeamsMediaRelay service, RWX memory anomalies in Teams.exe, and patching the specific BYOVD driver CVEs used for initial defense evasion: CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055.

How do I detect Backdoor.Turn on my network?

Detecting Backdoor.Turn requires endpoint behavioral indicators, not network detection. Run a service scan for any Windows service named TeamsMediaRelay across all endpoints. Query your EDR for RWX memory page allocations within Teams.exe processes. Monitor for outbound TCP connections from Teams.exe to Microsoft IP ranges on non-standard ports. Also hunt for LDAP enumeration queries originating from processes in the Microsoft Teams installation directory. Network monitoring alone will not detect this malware since all C2 traffic flows through legitimate Microsoft infrastructure.

What are the immediate defensive steps against DragonForce?

Seven steps cover the full DragonForce and Backdoor.Turn attack surface: add the four confirmed BYOVD driver hashes to your WDAC blocklist; hunt for TeamsMediaRelay service installations on all endpoints; audit Teams.exe for process injection indicators; restrict SQL Server and MSSQL to internal networks only; block the 10 confirmed C2 domains and IPs at your perimeter; patch CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055 on all affected systems; and verify DLL Safe Search Mode enforcement via Group Policy. Complete all steps before end of day.

What sectors does DragonForce ransomware target?

DragonForce actively targets manufacturing, construction, IT services and MSPs, healthcare, and retail. The group's minimum revenue threshold of $15 million annually filters out smaller targets. Manufacturing faces the highest confirmed victim concentration. IT service providers and MSPs represent multiplier targets because a single MSP compromise can provide access to dozens of downstream client networks. Healthcare organizations are targeted for the combination of revenue and operational urgency that creates pressure for rapid ransom payment.

What was DragonForce's connection to the Marks and Spencer cyberattack?

The 2025 cyberattack on UK retailer Marks & Spencer (M&S) was carried out by members of the Scattered Spider threat group deploying DragonForce ransomware. The attackers disrupted M&S's online operations, payment systems, and internal HR platforms across the United Kingdom. The M&S chief executive received ransom demands directly. The attack established DragonForce's targeting of major retail organizations and its association with Scattered Spider's social engineering-led initial access techniques.

Sources & references

  1. BleepingComputer: Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
  2. Symantec Threat Intelligence: Hidden in Teams: Backdoor.Turn Analysis
  3. Help Net Security: DragonForce masks C2 communications through Microsoft Teams relays
  4. Infosecurity Magazine: DragonForce Ransomware Exploited Microsoft Teams to Hide Attack
  5. GBHackers: DragonForce Ransomware Group Targets 363+ Companies

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.