Microsoft Teams users beware relays hit by ransomware hackers looking to
hide malicious traffic
Date:
Wed, 17 Jun 2026 13:30:00 +0000
Description:
DragonForce is the first ransomware operator to use this technique that was discovered last year.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Symantec confirms DragonForce ransomware operators used Microsoft Teams TURN relays for covert C2 traffic Custom Gobased RAT Backdoor.Turn masked malicious activity as normal Teams communications First inthewild use of Ghost Calls technique; campaign shows highly sophisticated tradecraft with Scattered Spider links Experts have warned cybercriminals are using Microsoft Teams relays as command-and-control (C2) infrastructure, blending malicious traffic with benign corporate communications.
In Microsoft Teams, a relay is a server that helps carry audio and video traffic when a direct connection between participants isnt possible (for example, theyre on a corporate network or behind a firewall). According to security researchers Symantec, in December 2025 ransomware operators DragonForce targeted a major US services company, likely abusing an unknown flaw in an SQL or MSSQL server to get a foothold on their targets network
and, among other things, deployed a custom backdoor malware called Backdoor.Turn. Latest Videos From Watch full video here: Who is DragonForce? Symantec says this backdoor abuses the Traversal Using Relays around NAT (TURN) protocol, a feature Teams uses when two (or more) participants cannot establish a direct connection. That way, defenders only see Teams traffic which isnt usually scrutinized.
BleepingComputer says this technique was first demonstrated in 2025 by Praetorian, who dubbed it Ghost Calls, however this is the first time anyones actually used it in the wild. You may like Iranian hackers launch ransomware campaign looking to steal details via Microsoft Teams New cyber scam abuses Microsoft Teams to steal your data Microsoft warns of Teams external IT impersonation attacks
Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams' TURN relay servers to mask command-and-control traffic, Symantec said.
DragonForce is an old group, by ransomware standards, first spotted back in 2023. It has been linked to the infamous Scattered Spider organization and, back in 2025, adopted a drug cartel model. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me
with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
By offering a white-label affiliate model, it allows others to use their infrastructure and malware while branding attacks under their own name With this model, affiliates dont need to manage the infrastructure and DragonForce takes care of negotiation sites, malware development and data leak sites.
Symantec said that the attackers running this campaign use exceptionally sophisticated cyber tradecraft. A full list of Indicators of Compromise (IoC) can be found on this link . The best antivirus for all budgets Our top picks, based on real-world testing and comparisons
Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/microsoft-teams-users-beware-relays-hit -by-ransomware-hackers-looking-to-hide-malicious-traffic
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)