Microsoft Teams users beware — relays hit by ransomware hackers looking to hide malicious traffic

• Symantec confirms DragonForce ransomware operators used Microsoft Teams TURN relays for covert C2 traffic
• Custom Go‑based RAT “Backdoor.Turn” masked malicious activity as normal Teams communications
• First in‑the‑wild use of “Ghost Calls” technique; campaign shows highly sophisticated tradecraft with Scattered Spider links

Experts have warned cybercriminals are using Microsoft Teams relays as command-and-control (C2) infrastructure, blending malicious traffic with benign corporate communications.

In Microsoft Teams, a relay is a server that helps carry audio and video traffic when a direct connection between participants isn’t possible (for example, they’re on a corporate network or behind a firewall).

According to security researchers Symantec, in December 2025 ransomware operators DragonForce targeted a major US services company, likely abusing an unknown flaw in an SQL or MSSQL server to get a foothold on their target’s network and, among other things, deployed a custom backdoor malware called ‘Backdoor.Turn’.

Who is DragonForce?

Symantec says this backdoor abuses the Traversal Using Relays around NAT (TURN) protocol, a feature Teams uses when two (or more) participants cannot establish a direct connection. That way, defenders only see Teams traffic which isn’t usually scrutinized.

BleepingComputer says this technique was first demonstrated in 2025 by Praetorian, who dubbed it ‘Ghost Calls’, however this is the first time anyone’s actually used it in the wild.

“Backdoor.Turn, a Go-based RAT, is the first known malware to abuse Microsoft Teams’ TURN relay servers to mask command-and-control traffic,” Symantec said.

DragonForce is an old group, by ransomware standards, first spotted back in 2023. It has been linked to the infamous Scattered Spider organization and, back in 2025, adopted a drug cartel model.

By offering a white-label affiliate model, it allows others to use their infrastructure and malware while branding attacks under their own name With this model, affiliates don’t need to manage the infrastructure and DragonForce takes care of negotiation sites, malware development and data leak sites.

Symantec said that the attackers running this campaign “use exceptionally sophisticated cyber tradecraft”. A full list of Indicators of Compromise (IoC) can be found on this link.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.