ZeroFox Intelligence Flash Report - DragonForce Conceals C2 in Legitimate Relay Infrastructure

ZeroFox Intelligence Flash Report -DragonForce Conceals C2 in Legitimate Relay Infrastructure

IIn this Flash Report, ZeroFox researchers report on DragonForce's use of legitimate web conferencing infrastructure to conceal C2 nodes.

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

View the full report here

On June 16, 2026, cybersecurity researchers disclosed a December 2025 intrusion at a major U.S. services firm in which operators from the DragonForce ransomware collective deployed a custom backdoor called Backdoor.Turn into the firm’s enterprise collaboration infrastructure.
Backdoor.Turn is a previously unseen in the wild Go-based remote access trojan (RAT) that can be injected into legitimate trusted collaboration instances to avoid detection. DragonForce almost certainly used this RAT to establish a command-and-control (C2) node within the trusted U.S. services firm’s network in order to maintain persistence.
ZeroFox assesses that abusing trusted, widely deployed collaboration services for C2, exfiltration, and malware delivery is very likely a tradecraft trend that has evolved since at least mid-2025. This likely represents a further maturation of the ransomware-as-a-service (RaaS) ecosystem, which almost certainly increases detection difficulties for defenders relying primarily on network egress monitoring.
This type of intrusion also likely represents a continuing shift from single-event extortion toward dual monetization: initial encryption and data theft followed by durable access that can be exploited later or sold to other criminal operators on deep and dark web (DDW) forums.