Skip to content
[email protected]
File security for Windows systems — since 2003

How FileSure Would Have Stopped the DragonForce Ransomware Attack Using Microsoft Teams TURN Relays

• By Gene Allen

The Attack: Sophisticated Evasion, Conventional Delivery

DragonForce ransomware made headlines this week for using a custom backdoor called Backdoor.Turn that hides command-and-control traffic inside Microsoft Teams relay infrastructure. The technique abuses the TURN protocol that Teams uses to route messages when direct connections aren’t available — making malicious traffic look like legitimate Microsoft communications.

That’s sophisticated evasion tradecraft. But it’s solving a problem that only matters if the attacker already has code running on your system.

According to Symantec’s analysis, the attack against a major U.S. services company in December 2025 started with exploitation of an SQL or MSSQL server vulnerability. Once inside, the attacker downloaded a ZIP archive containing a legitimate VirtualBox executable and a malicious DLL file used for sideloading.

That’s where the attack became preventable.

The malicious DLL had to be written to the file system before it could be loaded. The vulnerable drivers used in the Bring Your Own Vulnerable Driver (BYOVD) attacks — Huawei’s HWAuidoOs2Ec.sys, Topaz’s wsftprm.sys, Tower of Fantasy’s GameDriverx64.sys, and K7 Security’s K7RKScan.sys — all had to be written to disk before they could be loaded into the kernel. The Backdoor.Turn RAT had to be written to disk before it could be injected into DbgView64.exe. The ransomware payload had to land on the file system before it could encrypt anything.

Every stage of this attack required writing files to a Windows system. That’s where FileSure operates.

How FileSure Blocks Payload Delivery Before Execution

FileSure Defend runs as a Windows kernel filter driver and intercepts every file operation before it completes. You define rules that control which users, programs, and machines can perform which file operations — and the kernel enforces those rules before any file is created, written, or modified.

A rule blocking unauthorized programs from writing DLLs or executable files to system directories would have stopped this attack at the payload delivery stage:

File name filter: *.dll;*.sys;*.exe
Program name filter: Exclude authorized deployment tools and system processes
Operations: Write, Create
Drive type: Hard drives, Workstations
Result: The malicious DLL from the ZIP archive never lands on disk. The vulnerable drivers never get written. The attack stops before sideloading, before driver abuse, before the RAT deploys, before encryption starts.

No execution means no evasion techniques matter. The evildoer can have the most sophisticated C2 hiding mechanism ever devised, but if the payload never lands, it never runs.

Why This Approach Works on Zero-Day Attacks

The DragonForce attack used Backdoor.Turn — the first known in-the-wild malware to abuse Microsoft Teams TURN relays for C2 communications. Signature-based detection wouldn’t recognize it. Behavioral analysis might catch it eventually, but only after the backdoor was already running and communicating.

FileSure doesn’t try to recognize threats. It controls what programs are allowed to do to your files. A ransomware variant from this morning is stopped the same way as one from five years ago — because the fundamental requirement hasn’t changed. Malware has to write files to disk before it can execute. Block unauthorized file writes, and the attack stops at delivery.

This works even when you’re offline, even when your antivirus hasn’t updated, even when the evildoer is using techniques nobody has seen before. The rule enforcement happens at the kernel level, independent of threat intelligence feeds or signature databases.

Start Protecting Your Systems Today

FileSure Defend installs on Windows systems from Server 2003 through Server 2022. The agent uses less than 2% CPU and doesn’t conflict with existing endpoint security tools. You can deploy it on legacy systems running specialized software or medical equipment — the machines that modern endpoint tools won’t even install on.

Start your free 21-day trial at bystorm.com and see how file system policy enforcement stops attacks before they execute.

Source: Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

Category: Ransomware

Tags: dragonforce ransomware, backdoor.turn, byovd attack, dll sideloading, kernel filter driver, file system security, payload delivery blocking, zero-day defense

Gene Allen

Written by

Gene Allen

Gene Allen is a Windows file security expert with over 20 years of experience developing kernel-level solutions that protect enterprise data from ransomware, unauthorized access, and data loss. As founder of ByStorm Software, he architected FileSure — a patented file auditing and security platform trusted by 200+ organizations across healthcare, financial services, and government. Gene holds two U.S. patents in file system security and access control.

Ready to protect your organization?

Start your free 21-day trial today. No credit card required.

Start Your Free 21-Day Trial