HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

DragonForce Ransomware Group Uses Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

Researchers discovered the DragonForce ransomware gang using a custom Go‑based RAT, Backdoor.Turn, to tunnel C2 traffic through Microsoft Teams relays, targeting a large U.S. services firm. The technique underscores the need for continuous vendor‑risk monitoring and SOC 2‑ready evidence for SaaS integrations.

LiveThreat™ Intelligence · 📅 June 18, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

DragonForce Ransomware Group Uses Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

What Happened — Researchers at Broadcom‑owned Symantec and Carbon Black identified a custom Go‑based RAT, Backdoor.Turn, being deployed by the DragonForce ransomware gang. The malware tunnels its command‑and‑control (C2) traffic through Microsoft Teams relay infrastructure, effectively using a legitimate SaaS channel to evade detection. The campaign targeted a large U.S. services firm.

Why It Matters for Compliance & Audit Readiness

  • This is a textbook example of a third‑party supply‑chain abuse that SOC 2 vendor‑management controls are designed to detect and mitigate.
  • Continuous monitoring of SaaS integrations (e.g., Teams) provides audit‑ready evidence that you are exercising due diligence over third‑party risk.
  • Mapping this incident to the SOC 2 CC6.1 (Vendor Management) control helps demonstrate a defensible posture during audits.

Who Is Affected — Professional services organizations, consulting firms, and any enterprise that relies on Microsoft Teams for collaboration.

Recommended Actions

  • Review and tighten Teams app‑permission policies; enforce least‑privilege and restrict external relay usage.
  • Integrate automated SaaS‑risk monitoring into your SOC 2 vendor‑risk program to capture evidence of control effectiveness.
  • Conduct a focused audit of third‑party C2 channels and update incident‑response playbooks to include SaaS‑based exfiltration vectors.

Technical Notes – The backdoor is written in Go, leverages Microsoft Teams’ relay service to blend malicious traffic with legitimate collaboration traffic, and was observed in the wild against a U.S. services firm. No public CVE is associated; the technique exploits trusted cloud infrastructure rather than a software flaw.

Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/06/dragonforce-hackers-abuse-microsoft.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →