Dragonforce Ransomware Group Abuses Microsoft Teams for C2 in Aptora Intrusion
The Dragonforce ransomware group has executed a sophisticated intrusion against Aptora, a major U.S.-based civil engineering firm, by employing a "Living off Trusted Services" (LOTS) technique. The attackers deployed 'Backdoor.Turn', a custom Go-based Remote Access Trojan (RAT), which utilizes the Microsoft Teams relay infrastructure for Command-and-Control (C2). By routing malicious traffic through legitimate Microsoft SaaS endpoints, the group successfully masked C2 communications as standard HTTPS/TLS telemetry and messaging. This method allows the threat actor to bypass traditional network security monitoring and EDR solutions, facilitating long-term persistence and increasing the risk of large-scale data exfiltration and subsequent ransomware deployment.