← Back to Daily Briefing

The Dragonforce ransomware group has executed a sophisticated intrusion against Aptora, a major U.S.-based civil engineering firm, by employing a "Living off Trusted Services" (LOTS) technique. The attackers deployed 'Backdoor.Turn', a custom Go-based Remote Access Trojan (RAT), which utilizes the Microsoft Teams relay infrastructure for Command-and-Control (C2). By routing malicious traffic through legitimate Microsoft SaaS endpoints, the group successfully masked C2 communications as standard HTTPS/TLS telemetry and messaging. This method allows the threat actor to bypass traditional network security monitoring and EDR solutions, facilitating long-term persistence and increasing the risk of large-scale data exfiltration and subsequent ransomware deployment.

  • Incident Overview: Aptora Intrusion

    • Target: Aptora, a prominent U.S. civil engineering and services firm.
    • Primary Risk: Potential exfiltration of sensitive intellectual property, including civil engineering designs and client data.
    • Operational Impact: High risk of service disruption through subsequent ransomware deployment and data encryption.
  • Attack Mechanics: LOTS and Backdoor.Turn

    • Malware Payload: Deployment of 'Backdoor.Turn', a bespoke Remote Access Trojan (RAT) written in the Go programming language.
    • C2 Methodology: Exploitation of Microsoft Teams API and relay infrastructure to facilitate communication.
    • Evasion Strategy: Routing traffic through legitimate Microsoft SaaS endpoints to blend with standard enterprise communications.
    • Protocol Masking: Encapsulation of malicious commands within HTTPS/TLS packets, mimicking legitimate Teams telemetry and messaging.
  • Threat Profile: Dragonforce Tactics

    • Actor Sophistication: Advanced use of "Living off Trusted Services" (LOTS) to circumvent perimeter-based security.
    • Sector Vulnerability: High alert for critical infrastructure and engineering firms utilizing the Microsoft 365 ecosystem.
    • Persistence Strategy: Maintaining long-term presence by masking malicious activity within high-reputation cloud traffic.
  • Defensive Actions: Detection and Mitigation

    • Network Monitoring: Identification of anomalous API calls to Microsoft Teams endpoints originating from non-standard processes.
    • Endpoint Detection: Hunting for unusual Go-compiled binary execution patterns and suspicious outbound TLS connections.
    • Traffic Analysis: Inspection of outbound traffic to Microsoft infrastructure for deviations from typical user and telemetry behavior.
  • Conclusion: Emerging Evasion Trends

    • Strategic Shift: Demonstrates an increasing trend of leveraging high-reputation SaaS platforms to bypass EDR and NTA.
    • Defensive Requirement: Necessity for enhanced visibility into application-layer communications within trusted cloud environments.

Related posts

  1. Malware News — Hidden in Teams: DragonForce Attackers Weaponize Microsoft Teams Relays to Stay Hidden
  2. techjacksolutions.com — Financial Services Sector (DPRK + Cross-Sector) — Vulnerability Rollup (2026-05-28)
  3. techjacksolutions.com — HuiOne Ecosystem Persists: 30+ Successor Markets Emerge After DOJ Seizure and Treasury Sanctions
  4. arcticwolf.com — From CitrixBleed 2 to Cloudflared: The Tools and Techniques Behind Anubis Ransomware Attacks
  5. Cybersecurity-insiders
  6. SecurityWeek — Microsoft Adds New Teams Controls to Block Unauthorized AI Bots From Meetings
  7. Ransomware Live — 🏴‍☠️ [RW: Dragonforce] 🏴‍☠️ Dragonforce has just published a new victim : Aptora
  8. bleepingcomputer.com — Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
  9. gbhackers.com — Microsoft Teams Relay Abused by Hackers to Hide Malicious Traffic
  10. Cybersecurity News — Hackers Weaponize Microsoft Teams Relay to Hide Ransomware Traffic
  11. Cyberscoop
  12. Iansresearch
  13. Thehackernews
  14. Aikido
  15. Ransomlook
  16. Infosecurity-magazine
  17. feeds.feedburner.com — DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
  18. cyberscoop.com — Justice Department seizes infrastructure used by cyber scam and criminal marketplace
  19. feeds.feedburner.com — DoJ Seizes Huione Cloud Account Tied to Cyber Scam Money Laundering
  20. Dexpose
  21. Hookphish
  22. Darknetsearch
  23. Tripwire
  24. Threatbook
  25. Snyk
  26. Darkreading
  27. Securityweek
  28. Informationsecuritybuzz
  29. Bleepingcomputer
  30. Manufacturingdigital
  31. Rescana
  32. News
  33. Binance
  34. Steptoe
  35. Gate
  36. bleepingcomputer.com — Microsoft adds smarter bot protection to Teams meetings
  37. iTnews — Microsoft improves AI bot defences in Teams
  38. helpnetsecurity.com — Microsoft wants to stop unwanted bots from entering Teams meetings
  39. Uctoday
  40. Timesofindia

LINK COPIED TO CLIPBOARD