Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Major U.S. services company hit by ransomware attack linked to DragonForce

Incident
First reported
Last updated
Happening score
H score 38
2 unique sources, 2 articles

Summary

Hide ▲

A DragonForce ransomware incident hit a major U.S. services company in December 2025, with attackers maintaining access for up to two months and hiding command-and-control traffic in Microsoft Teams. Researchers said the intrusion used a Go-based RAT dubbed Backdoor.Turn to blend traffic into Teams relay infrastructure and a QUIC session, then added persistence by changing settings, creating accounts, and modifying firewall rules. The activity ended with data exfiltration and systems encryption, and the initial foothold was likely through an SQL or MSSQL server flaw.

Related Happenings

Backdoor.Turn Microsoft Teams TURN relay malware activity

Malware Activity
H score29 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

How related: The cybercriminals used a Go-based Remote Access Trojan (RAT) to abuse Microsoft Teams' TURN relay servers and mask command-and-control traffic.

About this happening: **Backdoor.Turn** is a **Go-based RAT** now tied to **covert command-and-control traffic** hidden through **Microsoft Teams TURN relay servers**, creating a trusted-looking channe...

Open Happening

BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment

Malware Activity
H score40 First: 08.06.2026 13:27 Last: 08.06.2026 13:27 Sources 1

About this happening: The deployment of **BRICKSTORM**, **PLENET (aka GRIMBOLT)**, and **AGENTPSD** on **Linux appliances** expanded operator access with **backdoor**, **proxying**, **remote command ex...

Open Happening

Storm-1175 high-velocity exploit campaign

Campaign
H score59 First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

Open Happening

Warlock ransomware post-exploitation tooling upgrades

Malware Activity
H score52 First: 17.03.2026 17:36 Last: 17.03.2026 17:36 Sources 1

About this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...

Open Happening

Lazarus Group Medusa ransomware activity targeting the Middle East and U.S. healthcare sector

Malware Activity
H score36 First: 24.02.2026 13:52 Last: 24.02.2026 13:52 Sources 1

About this happening: The **Lazarus Group** was observed using **Medusa ransomware** in an attack against an **unnamed entity in the Middle East**, extending North Korea-linked ransomware use into a li...

Open Happening

Timeline

  1. 16.06.2026 13:18 3 articles · 2h ago

    Major U.S. services company hit by ransomware attack linked to DragonForce

    Initial Disclosure

    In **December 2025**, the intrusion likely started with exploitation of an **unknown SQL or MSSQL server flaw**. The attacker then established foothold and built persistence before moving into evasion and ransomware deployment.

    Show sources
    Open in new tab