Signal

DragonForce ransomware hides command-and-control traffic in Microsoft Teams

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-06-15 19:32 UTCUpdated 2026-06-16 22:21 UTC

rss

cveexploitsmalwarethreat_actorsincident_responsesecurity_tooling

Trend in the last 24h

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (6)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (4 domains)

4 top sources shown

North Korean hackers use fake Microsoft alerts to deploy NarwhalRAT malware

SC Media · News · scworld.com · 2026-06-16 22:21 UTC

Crooks found a new way to collaborate using Teams – by hiding command-and-control traffic

The Register Security · News · theregister.com · 2026-06-16 14:41 UTC

DragonForce Ransomware Exploited Microsoft Teams to Hide in Attack Against Major Company

Infosecurity Magazine · News · infosecurity-magazine.com · 2026-06-16 11:30 UTC

Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

bleepingcomputer_all · News · bleepingcomputer.com · 2026-06-16 10:18 UTC

View all evidence

Overview

The DragonForce ransomware group has been using a sophisticated technique to conceal its command-and-control (C2) communications within legitimate Microsoft Teams traffic.

Entities

MicrosoftDragonForceBackdoor.TurnNarwhalRATScarCruftScattered Spider

Score total

1.56

Momentum 24h

6

Posts

6

Origins

5

Source types

1

Duplicate ratio

0%

Why now

Recent discovery highlights ongoing stealthy ransomware campaigns targeting major companies.
New techniques exploiting popular collaboration tools pose fresh challenges for defenders.
Concurrent North Korean campaigns using Microsoft alert impersonations emphasize persistent threats.

Why it matters

Hiding C2 traffic in legitimate Microsoft Teams communications complicates detection and incident response.
DragonForce's use of custom backdoors shows increasing sophistication in ransomware operations.
Microsoft-themed phishing remains a favored vector for state-sponsored malware delivery.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: medium

Recurring claims

DragonForce ransomware uses Microsoft Teams relay infrastructure to hide command-and-control traffic
North Korean hackers use fake Microsoft alerts to deploy NarwhalRAT malware via spear-phishing

How sources frame it

BleepingComputer: neutral

All evidence

All evidence

North Korean hackers use fake Microsoft alerts to deploy NarwhalRAT malware

SC Media · scworld.com · 2026-06-16 22:21 UTC

Crooks found a new way to collaborate using Teams – by hiding command-and-control traffic

The Register Security · theregister.com · 2026-06-16 14:41 UTC

DragonForce Ransomware Exploited Microsoft Teams to Hide in Attack Against Major Company

Infosecurity Magazine · infosecurity-magazine.com · 2026-06-16 11:30 UTC

Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

bleepingcomputer_all · bleepingcomputer.com · 2026-06-16 10:18 UTC

Fake Microsoft Alerts Used to Deploy North Korean NarwhalRAT Malware

thehackernews · thehackernews.com · 2026-06-16 08:14 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 5Origin domains: 5Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 5 / 0

Top publishers (this list)

SC Media (1)
The Register Security (1)
Infosecurity Magazine (1)
bleepingcomputer_all (1)
thehackernews (1)

Top origin domains (this list)

scworld.com (1)
theregister.com (1)
infosecurity-magazine.com (1)
bleepingcomputer.com (1)
thehackernews.com (1)