Overview
- On June 16, 2026, Symantec and Carbon Black published a joint report naming the Go-based backdoor Backdoor.Turn and releasing indicators of compromise to help defenders.
- Backdoor.Turn stole an anonymous Microsoft Teams visitor token, used Microsoft TURN relay servers and a QUIC session, and routed C2 and exfiltration so network monitors only saw legitimate Teams connections.
- The intrusion, observed in December 2025, likely began with an SQL/MSSQL server compromise, continued with reconnaissance and data theft over one to two months, and ended with DragonForce ransomware encrypting victim systems.
- Attackers used Bring Your Own Vulnerable Driver techniques by loading multiple signed but vulnerable drivers including a Huawei driver and a custom driver called ABYSSWORKER to gain kernel privileges and disable security tooling.
- Researchers published IoCs and mitigation steps and advise organizations to audit TURN and QUIC telemetry, harden exposed SQL/MSSQL services, monitor for unauthorized driver loads and anomalous Teams visitor-token use while the victim’s remediation and any ransom payment remain undisclosed.