Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware Activity
Summary
Hide ▲
Show ▼
Backdoor.Turn is a Go-based RAT now tied to covert command-and-control traffic hidden through Microsoft Teams TURN relay servers, creating a trusted-looking channel for remote access. Symantec says it is the first known in-the-wild malware to abuse this relay path. The activity was observed in December 2025 during an intrusion against a major U.S. services company. The malware's stealthy transport and post-exploitation features raise the risk of undetected compromise.
Related Happenings
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
How related:
The investigation report, published by Symantec and Carbon Black on 16 June, warned that attackers deployed DragonForce ransomware on the network of a “major US services firm.”
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services company** in **December 2025**, with attackers maintaining access for **up to two months** and hiding **command-a...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentHow related: The investigation report, published by Symantec and Carbon Black on 16 June, warned that attackers deployed DragonForce ransomware on the network of a “major US services firm.”
About this happening: A **DragonForce ransomware** incident hit a **major U.S. services company** in **December 2025**, with attackers maintaining access for **up to two months** and hiding **command-a...
Major South Korean electronics manufacturer hit by data theft breach
Incident
H score13
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Major South Korean electronics manufacturer hit by data theft breach
IncidentAbout this happening: A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
H score43
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Snow malware suite deployment by UNC6692
Malware Activity
H score28
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
Snow malware suite deployment by UNC6692
Malware ActivityAbout this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...
Warlock ransomware post-exploitation tooling upgrades
Malware Activity
H score52
First: 17.03.2026 17:36
Last: 17.03.2026 17:36
Sources 1
About this happening:
The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Warlock ransomware post-exploitation tooling upgrades
Malware ActivityAbout this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Timeline
-
16.06.2026 13:18 3 articles · 2h ago
Backdoor.Turn Microsoft Teams TURN relay malware activity
Initial DisclosureThe malware gained an early covert foothold by using **Microsoft Teams TURN relay infrastructure** for command-and-control setup. That opening stage let the operator mask remote communications before later reconnaissance, data theft, and ransomware deployment.
Show sources
- Ransomware gang abuses Microsoft Teams relays to hide malicious traffic — www.bleepingcomputer.com — 16.06.2026 13:18
- Ransomware gang abuses Microsoft Teams relays to hide malicious traffic — www.bleepingcomputer.com — 16.06.2026 13:18
- DragonForce Ransomware Exploited Microsoft Teams to Hide in Attack Against Major Company — www.infosecurity-magazine.com — 16.06.2026 14:30