Overview
- Researchers say attackers first gained a foothold in the victim’s network in December 2025 through an exposed or purchased SQL/MSSQL access, then used DLL sideloading to run additional payloads.
- After months of stealthy reconnaissance and lateral movement, DragonForce deployed ransomware and then installed a Go-based backdoor tracked as Backdoor.Turn to preserve access or sell the breach.
- Backdoor.Turn obtains anonymous Teams visitor tokens, connects through legitimate Microsoft TURN relay servers and runs a QUIC session to attacker servers so C2 traffic looks like normal Teams media traffic.
- Defenders report the intruders used Bring-Your-Own-Vulnerable-Driver techniques against signed drivers, including exploitation of a Huawei audio driver and a malicious driver disguised as a Palo Alto component to gain kernel privileges and disable protections.
- Broadcom’s Symantec and Carbon Black published indicators and mitigation advice in mid-June 2026 and recommend auditing TURN/QUIC telemetry, hardening exposed SQL/MSSQL services, and monitoring visitor-token use and unexpected driver loads to detect similar attacks.