The Dragonforce ransomware group has executed a sophisticated intrusion against Aptora, a major U.S.-based civil engineering firm, by employing a "Living off Trusted Services" (LOTS) technique. The attackers deployed 'Backdoor.Turn', a custom Go-based Remote Access Trojan (RAT), which utilizes the Microsoft Teams relay infrastructure for Command-and-Control (C2). By routing malicious traffic through legitimate Microsoft SaaS endpoints, the group successfully masked C2 communications as standard HTTPS/TLS telemetry and messaging. This method allows the threat actor to bypass traditional network security monitoring and EDR solutions, facilitating long-term persistence and increasing the risk of large-scale data exfiltration and subsequent ransomware deployment.
-
Incident Overview: Aptora Intrusion
- Target: Aptora, a prominent U.S. civil engineering and services firm.
- Primary Risk: Potential exfiltration of sensitive intellectual property, including civil engineering designs and client data.
- Operational Impact: High risk of service disruption through subsequent ransomware deployment and data encryption.
-
Attack Mechanics: LOTS and Backdoor.Turn
- Malware Payload: Deployment of 'Backdoor.Turn', a bespoke Remote Access Trojan (RAT) written in the Go programming language.
- C2 Methodology: Exploitation of Microsoft Teams API and relay infrastructure to facilitate communication.
- Evasion Strategy: Routing traffic through legitimate Microsoft SaaS endpoints to blend with standard enterprise communications.
- Protocol Masking: Encapsulation of malicious commands within HTTPS/TLS packets, mimicking legitimate Teams telemetry and messaging.
-
Threat Profile: Dragonforce Tactics
- Actor Sophistication: Advanced use of "Living off Trusted Services" (LOTS) to circumvent perimeter-based security.
- Sector Vulnerability: High alert for critical infrastructure and engineering firms utilizing the Microsoft 365 ecosystem.
- Persistence Strategy: Maintaining long-term presence by masking malicious activity within high-reputation cloud traffic.
-
Defensive Actions: Detection and Mitigation
- Network Monitoring: Identification of anomalous API calls to Microsoft Teams endpoints originating from non-standard processes.
- Endpoint Detection: Hunting for unusual Go-compiled binary execution patterns and suspicious outbound TLS connections.
- Traffic Analysis: Inspection of outbound traffic to Microsoft infrastructure for deviations from typical user and telemetry behavior.
-
Conclusion: Emerging Evasion Trends
- Strategic Shift: Demonstrates an increasing trend of leveraging high-reputation SaaS platforms to bypass EDR and NTA.
- Defensive Requirement: Necessity for enhanced visibility into application-layer communications within trusted cloud environments.
Related posts
- Malware News — Hidden in Teams: DragonForce Attackers Weaponize Microsoft Teams Relays to Stay Hidden
- techjacksolutions.com — Financial Services Sector (DPRK + Cross-Sector) — Vulnerability Rollup (2026-05-28)
- techjacksolutions.com — HuiOne Ecosystem Persists: 30+ Successor Markets Emerge After DOJ Seizure and Treasury Sanctions
- arcticwolf.com — From CitrixBleed 2 to Cloudflared: The Tools and Techniques Behind Anubis Ransomware Attacks
- Cybersecurity-insiders
- SecurityWeek — Microsoft Adds New Teams Controls to Block Unauthorized AI Bots From Meetings
- Ransomware Live — 🏴☠️ [RW: Dragonforce] 🏴☠️ Dragonforce has just published a new victim : Aptora
- bleepingcomputer.com — Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
- gbhackers.com — Microsoft Teams Relay Abused by Hackers to Hide Malicious Traffic
- Cybersecurity News — Hackers Weaponize Microsoft Teams Relay to Hide Ransomware Traffic
- Cyberscoop
- Iansresearch
- Thehackernews
- Aikido
- Ransomlook
- Infosecurity-magazine
- feeds.feedburner.com — DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
- cyberscoop.com — Justice Department seizes infrastructure used by cyber scam and criminal marketplace
- feeds.feedburner.com — DoJ Seizes Huione Cloud Account Tied to Cyber Scam Money Laundering
- Dexpose
- Hookphish
- Darknetsearch
- Tripwire
- Threatbook
- Snyk
- Darkreading
- Securityweek
- Informationsecuritybuzz
- Bleepingcomputer
- Manufacturingdigital
- Rescana
- News
- Binance
- Steptoe
- Gate
- bleepingcomputer.com — Microsoft adds smarter bot protection to Teams meetings
- iTnews — Microsoft improves AI bot defences in Teams
- helpnetsecurity.com — Microsoft wants to stop unwanted bots from entering Teams meetings
- Uctoday
- Timesofindia