ctipilot.ch

DragonForce intrusion

campaign · campaign:dragonforce-backdoor-turn-teams-relay-byovd

DragonForce intrusion — first ITW Microsoft Teams TURN-relay C2 (Backdoor.Turn) + four-driver BYOVD chain

Coverage timeline
1
first 2026-06-17 → last 2026-06-17
Entries
1
1 distinct days
Sources cited
13
4 hosts
Sections touched
1
deep-dive
Co-occurring entities
2
see Related entities below

Story timeline

  1. 2026-06-17DragonForce abuses Microsoft Teams TURN relays for C2 and chains four vulnerable drivers (BYOVD)
    deep-diveDragonForce abuses Microsoft Teams TURN relays for C2 and chains four vulnerable drivers (BYOVD)

Where this entity is cited

  • deep-dive1

Source distribution

  • attack.mitre.org10 (77%)
  • bleepingcomputer.com1 (8%)
  • helpnetsecurity.com1 (8%)
  • security.com1 (8%)

Related entities

All cited sources (13)

Entries about DragonForce intrusion (1)

2026-06-17 · view entry permalink →

DragonForce abuses Microsoft Teams TURN relays for C2 and chains four vulnerable drivers (BYOVD)

high threat discovered 2026-06-17 05:14 UTC deep dive

Background. DragonForce is a ransomware-as-a-service operation that has been documented since 2023 and rebranded itself in 2024–2025 as a "cartel"-style affiliate model; it has been tied to attacks on retail and enterprise targets across multiple regions and has previously leaned on affiliate-supplied access and living-off-the-land tooling. This deep dive is not about the ransomware payload but about an intrusion Symantec disclosed on 2026-06-16 that introduces a genuinely novel command-and-control technique and an unusually deep bring-your-own-vulnerable-driver (BYOVD) chain (Symantec / Broadcom, 2026-06-16).

The intrusion. Symantec investigated a DragonForce intrusion at an unnamed major U.S. services company that began in December 2025 — roughly two months of undetected dwell before discovery (BleepingComputer, 2026-06-16). Initial access was via an internet-facing MSSQL server (or purchased access) — a reminder that exposed database services remain a high-value entry point (T1190 Exploit Public-Facing Application). The actor then dropped a ZIP containing a legitimate, signed DbgView64.exe (or VirtualBox binary) alongside a malicious vboxrt.dll, executed via DLL side-loading (T1574.002). Persistence was established through a LimitBlankPasswordUse registry modification, creation of rogue local users/groups (T1136.001), and firewall-rule changes.

Backdoor.Turn and the Teams TURN-relay C2 (the novel part). Backdoor.Turn is a Go-based RAT injected into DbgView64.exe. It obtains an anonymous Microsoft Teams visitor token from Skype identity services, then establishes a TURN (Traversal Using Relays around NAT) relay session through Microsoft's own infrastructure and runs a QUIC tunnel to the actual attacker C2. Symantec assesses this is the first known malware to abuse Teams' TURN relay servers for C2 (Symantec / Broadcom, 2026-06-16). The defensive consequence is severe: a defender inspecting network flows sees only outbound connections to legitimate Microsoft IP ranges — the technique is a high-trust proxy/relay abuse (T1090 Proxy) that blends with the Teams traffic any Microsoft 365 tenant already generates.

The four-driver BYOVD chain. To disable defences, the actor loaded four signed-but-vulnerable kernel drivers (T1068 Exploitation for Privilege Escalation used to reach kernel for T1562.001 Impair Defenses): Huawei HWAuidoOs2Ec.sys (novel, no prior CVE), Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys (CVE-2025-1055). A custom malicious driver, ABYSSWORKER, masqueraded as a Palo Alto Networks driver to handle defence evasion. Follow-on activity included network scanning (T1046), AD/LDAP enumeration (T1018), TLS-certificate harvesting, browser credential theft (T1555.003), and credential-based lateral movement (T1021).

Detection concepts (no IOCs). (1) Hunt for DbgView64.exe or VirtualBox binaries initiating QUIC (UDP/443) sessions to Microsoft TURN-relay ranges with anomalous parent-child trees (vboxrt.dllDbgView64.exe) — Sysmon EID 3 network-connection events filtered against expected Teams behaviour. (2) Alert on signed drivers from Huawei, Topaz, Tower of Fantasy or K7 Security loading on systems that are not gaming/AV hosts (Sysmon EID 6 driver-load). (3) Registry-value sets on HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse (Sysmon EID 13). (4) Rogue local user/group creation (Windows Security EID 4720 / 4732) (Help Net Security, 2026-06-16).

Hardening. Enforce kernel-driver allow-listing via WDAC/HVCI and keep the Microsoft vulnerable-driver blocklist current (it covers the LOLDrivers entries this chain abuses); constrain egress so UDP/443 (QUIC) to Microsoft service tags is the only permitted path and is itself monitored; and audit any internet-reachable MSSQL/SQL Server instances out of existence. Because Backdoor.Turn rides genuine Microsoft relay infrastructure, IP/domain blocking is ineffective — the leverage is process-lineage and driver-load telemetry, not network reputation.

ransomware organized-crime identity cloud us global