DragonForce ransomware group hides command-and-control traffic inside Microsoft Teams communications
Cybercriminals deploying DragonForce ransomware breached a major US services company's network and spent two months hiding their command-and-control activities by disguising them as legitimate Microsoft Teams traffic. Symantec researchers identified the intrusion involved a custom Go-based backdoor called "Backdoor.Turn" that routed malicious communications through Microsoft's services, making the attack appear as routine corporate collaboration.
Key quotes
Cybercrims deploying DragonForce ransomware appear to have gained access to a major US services company's network, then spent two months up to no good while disguising their command-and-control activities as legitimate Microsoft Teams traffic.
Researchers at security firm Symantec said the intrusion began with attackers gaining access to the victim's environment before deploying a custom Go-based backdoor, tracked as 'Backdoor.Turn,' to maintain communication with the compromised systems.
Rather than reaching out to attacker-controlled infrastructure, the malware routed communications through legitimate Microsoft services, making malicious activity look like routine corporate collaboration.
From the article
Custom malware routed communications through legitimate Microsoft services, making malicious activity look like routine corporate collaboration
Continue reading on theregister.comYou might also wanna read
Microsoft Flags Fast-Moving Ransomware, Router-Based Espionage Threats
redmondmag.com·3mo ago
Microsoft Uncovers Hackers Posing as IT Helpdesk Staff
redmondmag.com·2mo ago
Signed Malware Impersonating Workplace Apps Used To Deploy RMM Backdoors
redmondmag.com·4mo ago
Microsoft Disrupts Fox Tempest Malware-Signing Service Used in Ransomware Attacks
redmondmag.com·1mo ago
AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack
thehackernews.com·7d ago
Early Exploitation of React2Shell Vulnerability (CVE-2025-55182) Targets Critical Infrastructure
The article details early exploitation activity following the public disclosure of the critical React2Shell vulnerability (CVE-2025-55182).

Comments
Sign in to join the conversation.
No comments yet. Be the first.