Researchers at Symantec discovered that DragonForce ransomware operators used a custom Go-based backdoor called Backdoor.Turn to hide command-and-control communications within legitimate Microsoft Teams traffic, effectively disguising malicious activity as routine corporate collaboration. The malware leveraged Microsoft Teams and Skype infrastructure, including TURN relay servers and QUIC connections, to evade detection while maintaining persistent access to a major US services company's network over two months. This represents the first known instance of malware using Microsoft Teams for covert command-and-control communication.
Crooks Found a New Way to Collaborate Using Teams – by Hiding Command-and-Control Traffic
