Microsoft Teams users beware – relays hit by ransomware hackers looking to hide malicious traffic

Symantec confirms DragonForce ransomware operators used Microsoft Teams TURN relays to covert C2 traffic
Custom Go-based RAT “Backdoor.Turn” masked malicious activity as normal Teams communication
The first in-wild use of the “Ghost Calls” technique; campaign shows very sophisticated craftsmanship with scattered spider links

Experts have warned that cybercriminals are using Microsoft Teams relays as command-and-control (C2) infrastructure, mixing malicious traffic with benign corporate communications.

In Microsoft Teams, a relay is a server that helps transport audio and video traffic when a direct connection between participants is not possible (for example, they are on a corporate network or behind a firewall).

According to security researchers Symantec, ransomware operators DragonForce targeted a major US service company in December 2025, likely exploiting an unknown flaw in an SQL or MSSQL server to gain a foothold on their target’s network, deploying, among other things, a custom backdoor malware called ‘Backdoor.Turn’.

Who is DragonForce?

Symantec says this backdoor abuses the Traversal Using Relays around NAT (TURN) protocol, a feature Teams uses when two (or more) participants cannot establish a direct connection. That way, defenders only see Teams traffic, which normally goes unscrutinized.

Bleeping Computer says this technique was first demonstrated in 2025 by the Praetorian, who called it ‘Ghost Calls’, but this is the first time anyone has actually used it in the wild.

You like

“Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams’ TURN relay servers to mask command-and-control traffic,” Symantec said.

DragonForce is an old group, by ransomware standards, first discovered back in 2023. It has been linked to the infamous Scattered Spider organization, and back in 2025 adopted a drug cartel model.

Sign up for the TechRadar Pro newsletter to get all the best news, opinions, features and guidance your business needs to succeed!

By offering a white-label affiliate model, it allows others to use its infrastructure and malware while branding attacks under its own name. With this model, affiliates do not need to manage the infrastructure and DragonForce takes care of negotiation sites, malware development and data leakage sites.

Symantec said the attackers running this campaign “use exceptionally sophisticated cybercraft”. A complete list of Indicators of Compromise (IoC) can be found at this link.

The best antivirus for all budgets

Our top picks are based on real-world tests and comparisons

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.

Must Read

Leave a Comment Cancel Reply