Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 2 actorsExploits 3 CVEs

Backdoor.Turn

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

3 CVES
CVE-2023-52271Arbitrary PPL Process Termination in Topaz Antifraud wsftprm.sysExploited in the wild

Additional drivers linked to CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055 were also abused.

via cyber security newscybersecuritynews.com
CVE-2025-61155Arbitrary Process Termination via GameDriverX64.sys IOCTL Access Control FlawExploited in the wild

Additional drivers linked to CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055 were also abused.

via cyber security newscybersecuritynews.com
CVE-2025-1055Arbitrary privileged process termination via K7 Security K7RKScan.sys IOCTLsExploited in the wild

Additional drivers linked to CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055 were also abused.

via cyber security newscybersecuritynews.com
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
DragonForce

According to the Symantec Threat Hunter Team, a new Go-based remote access Trojan (RAT) named Backdoor.TURN leverages Microsoft Teams TURN relay servers to disguise command-and-control (C2) communications as legitimate enterprise activity.

via cyber security newscybersecuritynews.com
Hackledorb

According to the Symantec Threat Hunter Team, a new Go-based remote access Trojan (RAT) named Backdoor.TURN leverages Microsoft Teams TURN relay servers to disguise command-and-control (C2) communications as legitimate enterprise activity.

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1059Command and Scripting InterpreterEvidence1

The Backdoor supports capabilities such as remote command execution, Active Directory enumeration, network scanning, credential theft, and lateral movement.

Privilege Escalation

1 technique
T1055Process InjectionEvidence2

The Backdoor.Turn payload was injected into the legitimate DbgView64.exe process and deployed after ransomware execution.

Stealth

1 technique
T1055Process InjectionEvidence2

The Backdoor.Turn payload was injected into the legitimate DbgView64.exe process and deployed after ransomware execution.

Credential Access

2 techniques
T1003OS Credential DumpingEvidence1

Following execution, the attackers carried out reconnaissance, credential harvesting, and lateral movement across the network.

T1555Credentials from Password StoresEvidence1

Its capabilities include command execution, process creation, network scanning, TLS certificate capturing, LDAP/Active Directory searching, website title collection, and browser credential theft.

Discovery

4 techniques
T1016System Network Configuration DiscoveryEvidence1

Its capabilities include command execution, process creation, network scanning, TLS certificate capturing, LDAP/Active Directory searching, website title collection, and browser credential theft.

T1018Remote System DiscoveryEvidence2

The Backdoor supports capabilities such as remote command execution, Active Directory enumeration, network scanning, credential theft, and lateral movement.

T1046Network Service DiscoveryEvidence1

The Backdoor supports capabilities such as remote command execution, Active Directory enumeration, network scanning, credential theft, and lateral movement.

T1082System Information DiscoveryEvidence1

Following execution, the attackers carried out reconnaissance, credential harvesting, and lateral movement across the network.

Lateral Movement

1 technique
T1021.002SMB/Windows Admin SharesEvidence1

The Backdoor supports capabilities such as remote command execution, Active Directory enumeration, network scanning, credential theft, and lateral movement.

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence2

Backdoor.TURN leverages Microsoft Teams TURN relay servers to disguise command-and-control (C2) communications as legitimate enterprise activity. | Once the connection is established, it initiates a QUIC session with the real C2 server.

T1090.002External ProxyEvidence2

instead of directly communicating with attacker-controlled infrastructure, the malware routes traffic through Microsoft’s own servers, making it appear as normal outbound connections to Teams services.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
cyber security newsNews
Jun 16, 2026
Hackers Weaponize Microsoft Teams Relay to hide Malware Traffic

A Go-based remote access trojan/backdoor that abuses Microsoft Teams TURN relay infrastructure to mask C2 traffic as legitimate Teams communications. It supports remote command execution, Active Directory enumeration, network scanning, credential theft, and lateral movement, and was observed injected into DbgView64.exe.

Read more
bleeping computerNews
Jun 16, 2026
Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

A custom Go-based remote access trojan that abuses Microsoft Teams TURN relay infrastructure to mask command-and-control traffic as trusted Teams-related communications. Reported capabilities include command execution, process creation, network scanning, TLS certificate capture, LDAP/Active Directory searching, website title collection, and browser credential theft.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities3

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.