They introduce Dragon Force, an emerging ransomware group first observed in June 2023 that rapidly grew to roughly 400 listed victims within a year. They explain the group's cartel model, which features an affiliate panel, an 80/20 revenue split, and double extortion tactics. They note the group built its early iterations on leaked LockBit 3.0 code before shifting to Conti V3. While the cartel successfully breached large targets like Marks & Spencer, they demonstrate that the group's technical maturity is best illustrated through its attacks on much smaller organizations.

They detail a case study of a US business with fewer than 100 employees to showcase the group's advanced capabilities. After gaining initial access via Microsoft SQL, the attackers deployed an unexpectedly sophisticated toolset. They employed Bring Your Own Vulnerable Driver (BYOVD) techniques to terminate endpoint security processes. This included exploiting K7 and Tower of Fantasy drivers, alongside an undisclosed zero-day Huawei driver, and a custom Abyss worker driver masquerading as a legitimate Palo Alto component.

The most significant finding they present from the intrusion is the threat actor's deployment of a "TURN backdoor," marking the first observed in-the-wild abuse of this evasion technique. Because modern networks often block incoming traffic, video conferencing applications rely on Traversal Using Relays around NAT (TURN) servers to establish peer-to-peer connections. They explain that the backdoor abuses Microsoft Teams TURN relays to build an encrypted tunnel directly through the corporate firewall. Since network administrators commonly safelist traffic to Microsoft subdomains to maintain call quality, these communications remain uninspected and entirely hidden.

They outline two versions of this backdoor observed during the incident. The first uses the Google-developed QUIC protocol with TLS 1.3 encryption to maintain fast, secure streams. The second version replaces QUIC with the KCP transmission control algorithm, combining it with SMAX multiplexing and custom AES encryption to manually reproduce QUIC's network behavior. Because these tools grant the attackers standard remote access capabilities—such as command execution, credential theft, and network scanning—they conclude that Dragon Force likely uses small business victims as real-world testing grounds for advanced access-brokering infrastructure.

• Dragon Force operates as a professional ransomware cartel with an affiliate panel, claiming a 20 percent revenue share while executing double-extortion attacks.
• The syndicate employs Bring Your Own Vulnerable Driver (BYOVD) methods, notably using an undisclosed Huawei zero-day and a custom Abyss worker driver to disable security agents.
• Attackers successfully bypassed corporate firewalls by establishing a backdoor through Microsoft Teams TURN relays, exploiting the common practice of safelisting video conferencing subdomains.
• The threat actors developed two versions of their custom TURN backdoor, utilizing the QUIC protocol in the first iteration and the KCP algorithm paired with SMAX multiplexing in the second.
• The deployment of complex, enterprise-grade evasion tools against a small US business indicates that the group uses low-value networks as testing environments for new malware.