Microsoft Teams users beware — relays hit by ransomware hackers looking to hide malicious traffic

News
By published

DragonForce is the first ransomware operator to use this technique

Representational image of a cybercriminal
Image Credit: Pixabay (Image credit: Pixabay)
  • Symantec confirms DragonForce ransomware operators used Microsoft Teams TURN relays for covert C2 traffic
  • Custom Go‑based RAT “Backdoor.Turn” masked malicious activity as normal Teams communications
  • First in‑the‑wild use of “Ghost Calls” technique; campaign shows highly sophisticated tradecraft with Scattered Spider links

Experts have warned cybercriminals are using Microsoft Teams relays as command-and-control (C2) infrastructure, blending malicious traffic with benign corporate communications.

In Microsoft Teams, a relay is a server that helps carry audio and video traffic when a direct connection between participants isn’t possible (for example, they’re on a corporate network or behind a firewall).

According to security researchers Symantec, in December 2025 ransomware operators DragonForce targeted a major US services company, likely abusing an unknown flaw in an SQL or MSSQL server to get a foothold on their target’s network and, among other things, deployed a custom backdoor malware called ‘Backdoor.Turn’.

Latest Videos From

Who is DragonForce?

Symantec says this backdoor abuses the Traversal Using Relays around NAT (TURN) protocol, a feature Teams uses when two (or more) participants cannot establish a direct connection. That way, defenders only see Teams traffic which isn’t usually scrutinized.

BleepingComputer says this technique was first demonstrated in 2025 by Praetorian, who dubbed it ‘Ghost Calls’, however this is the first time anyone’s actually used it in the wild.

“Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams' TURN relay servers to mask command-and-control traffic,” Symantec said.

DragonForce is an old group, by ransomware standards, first spotted back in 2023. It has been linked to the infamous Scattered Spider organization and, back in 2025, adopted a drug cartel model.

By offering a white-label affiliate model, it allows others to use their infrastructure and malware while branding attacks under their own name With this model, affiliates don’t need to manage the infrastructure and DragonForce takes care of negotiation sites, malware development and data leak sites.

Symantec said that the attackers running this campaign “use exceptionally sophisticated cyber tradecraft”. A full list of Indicators of Compromise (IoC) can be found on this link.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.