EXECUTIVE SUMMARY:[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:[emaillocker id="1283"]
DragonForce ransomware operators were observed conducting a highly stealthy intrusion against a large services organization by leveraging a custom remote access tool designed to conceal malicious communications within legitimate Microsoft Teams infrastructure. The campaign demonstrated an advanced approach to evading network monitoring by blending command-and-control traffic with trusted cloud services, allowing the attackers to remain undetected for an extended period before deploying ransomware. During the intrusion, the threat actors were also observed abusing vulnerable drivers associated with CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055 to facilitate defense evasion and obtain elevated system privileges.
The attack relied on a Go-based remote access trojan that abused Microsoft Teams TURN relay services to proxy communications between infected systems and attacker-controlled infrastructure. The malware acquired anonymous Teams visitor tokens, established connections through legitimate relay servers, and tunneled communications using the QUIC protocol, making network traffic appear as standard Teams activity. In addition to this stealth mechanism, the operators employed Bring Your Own Vulnerable Driver (BYOVD) techniques for defense evasion. A vulnerable Huawei driver was leveraged alongside custom tooling to terminate security processes and weaken endpoint protections. The threat actors also modified system configurations, created additional user accounts, adjusted firewall settings, and established persistence mechanisms to maintain long-term access within the environment before deploying ransomware.
This activity highlights the growing trend of ransomware operators abusing trusted enterprise platforms to conceal malicious operations and evade traditional security monitoring. The use of custom malware, legitimate cloud infrastructure, and vulnerable drivers demonstrates a high level of operational. Organizations should strengthen monitoring of collaboration platforms, inspect anomalous network behavior involving trusted services, enforce driver-control policies, and maintain comprehensive endpoint visibility to detect and disrupt similar stealth-focused ransomware intrusions before they progress to data theft or encryption activities.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1136.001 | Create Account | Local Account |
| T1098.001 | Account Manipulation | Additional Cloud Credentials | |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | - |
| T1548.002 | Abuse Elevation Control Mechanism | Bypass User Account Control | |
| Stealth | T1211 | Exploitation for Stealth | - |
| T1036.005 | Masquerading | Match Legitimate Resource Name or Location | |
| T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File | |
| Discovery | T1082 | System Information Discovery | - |
| T1016.001 | System Network Configuration Discovery | Internet Connection Discovery | |
| Command and Control | T1090.001 | Proxy | Internal Proxy |
| T1071.001 | Application Layer Protocol | Web Protocols | |
| T1573.002 | Encrypted Channel | Asymmetric Cryptography | |
| T1105 | Ingress Tool Transfer | - |
REFERENCES:
The following reports contain further technical details:
https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor
[/emaillocker]