Daylila

Cybersecurity · Thursday, 18 June 2026

01 · Briefing · what happened

Ransomware crew hid inside a US firm for months, disguising its traffic as Microsoft Teams

Cybersecurity 4 min 48 sources

A DragonForce attack used a custom backdoor that masquerades as normal Teams traffic, letting it sit unnoticed long after the break-in. Plus a Defender zero-day, 245 Oracle patches, and plugins that steal developers' keys.

Key takeaways

  • A ransomware crew sat inside a US firm for months using a backdoor that disguised its traffic as ordinary Microsoft Teams activity, so defenders never saw the alarm.
  • Microsoft is still patching a zero-day in its own Defender security tool, and Oracle shipped 245 fixes — a reminder that the gap between a patch existing and being applied is its own attack window.
  • The mature security posture assumes attackers will sometimes get past the wall; what protects you is how fast you detect them inside and how fast you recover.

The most useful security story today is not about how attackers got in. It is about how long they stayed — and how hard they were to see once inside.

A backdoor that wears a Microsoft Teams costume

Researchers at Broadcom’s Symantec and Carbon Black team detailed a ransomware attack on a US services firm by the group DragonForce, active since 2023 [8]. The attackers broke in around December 2025, likely through an unknown flaw in a database server, and may have simply bought their way in from a broker who sells access to already-cracked networks [8].

What stands out is the tool they left behind. A new Go-based backdoor the researchers call Backdoor.Turn hides its instructions inside what looks like ordinary Microsoft Teams traffic. It grabs an anonymous Teams visitor token, routes through a legitimate Microsoft relay server, then quietly talks to the attacker’s real control server underneath [8].

The effect is what matters. “Security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away,” the researchers wrote [8]. C&C — command and control — is the channel an intruder uses to send orders to malware it has planted. Hide that channel inside trusted traffic, and the alarm never rings.

Once inside, the crew did the unglamorous work of a real intrusion: it established a foothold, mapped the network, abused a signed but flawed driver to gain deep system access and switch off security software, then stole credentials from browsers and moved sideways to other machines before deploying the ransomware [8]. The backdoor’s job was to keep a way back in even after the ransomware fired.

This is unusual craft for a ransomware crew — most rent their tools rather than build something this careful [8]. But the lesson holds for everyone: a determined attacker will sometimes get past the wall, and the months between the break-in and the discovery are where the damage compounds.

A zero-day in the tool meant to catch zero-days

Microsoft confirmed it is working on a fix for a flaw in Microsoft Defender, its built-in security software, after a researcher published working exploit code last week [3]. The bug — now tracked as CVE-2026-50656 — lets an attacker who already has a foothold on a machine quietly promote themselves to full system control [3]. A CVE is just the public ID number a vulnerability gets so everyone can refer to the same flaw. There is no patch yet, so this counts as a zero-day: a flaw with no fix available, giving anyone who uses it a clear run until one ships [3].

It is a privilege-escalation bug, not a way in by itself — an attacker needs to already be on the machine. But that is precisely the assume-breach point: tools that escalate access are valuable exactly because intruders so often start from a small foothold and work upward.

A heavy patch week

Oracle released its June update with 245 fixes across products including its communications, business, and enterprise-management software [1] — part of a recent move to monthly patches on top of its usual quarterly batch [1]. Separately, attackers were seen actively exploiting flaws in Joomla and LiteSpeed, two pieces of web-hosting software, to run their own code and seize root control on shared servers [6]. And a trio of flaws in Fortinet’s FortiSandbox — a product companies buy to spot emerging threats — came under active attack weeks after Fortinet patched them; one firm logged 49 exploitation attempts from 11 different addresses over six days [2][9].

The thread: the gap between a patch existing and a patch being applied is its own attack window. Apply the update and the window closes.

Plugins that pocket your keys

For people who write software, a quieter warning. Researchers at Aikido found 15 plugins on the JetBrains marketplace — add-ons for a popular set of programming tools — that steal the secret keys developers paste in to use AI services [13]. The moment you enter the key and click Apply, the plugin saves it and forwards a copy to the attacker, with no prompt and nothing visible in the screen to suggest it [13]. The likely aim is reselling access to those paid AI accounts [13]. Programming tools are a rich target because developers leave them open all day, holding source code, cloud logins, and signing keys [13].

Why detection keeps lagging

Underneath all of this sits a staffing problem. A SANS Institute survey of 444 security-operations staff found a shortage of skilled people is the field’s top day-to-day challenge [25]. A separate survey of 168 security leaders found that chasing false alarms and low-priority alerts wastes more of their time than anything else, with another quarter spent just working out whether a given risk is even real [37]. Only 19% said they fully trust their threat-intelligence tools to tell them what to fix first [37].

That is the human side of the lead story. A backdoor that hides in trusted traffic does not need to be invisible — it only needs to blend into a stream of alerts that an understaffed, alert-fatigued team can’t fully chase. The defence isn’t a taller wall. It’s the time it takes to notice someone already inside, and how fast you can get them out.

02 · Lesson · why it matters

The wall you can't build, and the clock you can

You will not keep every attacker out. What protects you is how fast you notice the one who got in, and how fast you get them out.

A guest who stayed for months

The DragonForce crew broke into a US firm around December 2025. They were not found for months. In between, they mapped the network, turned off the security software, stole passwords, and spread to other machines — all before the ransomware ever fired.

The headline reflex is to ask how they got in. The more useful question is how they stayed so long. They left behind a tool that disguised its messages as ordinary Microsoft Teams traffic. To the defenders’ alarms, nothing looked wrong. The intruder was not invisible. He was just indistinguishable from a colleague on a video call.

That gap — between break-in and discovery — is where almost all the damage in a serious attack actually happens.

The wall is a comforting lie

Most of how we picture security is a wall. Higher firewall, stronger password, one more lock. The instinct is to spend everything on keeping people out.

But a wall has a hidden assumption: that “out” and “in” are stable, and that if you build it high enough, the question of what happens after a breach never comes up. For anything worth attacking, that assumption fails. Software has flaws nobody has found yet. People paste passwords into fake login pages. Someone sells a working key to a stranger. Given enough attempts, somebody gets through. Not because the wall was weak — because walls are finite and attackers are patient.

So a posture built entirely on the wall has a brittle shape. It works perfectly until the one moment it doesn’t, and in that moment it has nothing left to offer. The fall is total because everything was bet on the edge.

Two clocks decide the damage

Mature defenders stopped chasing the perfect wall and started watching two clocks instead.

The first is dwell time — how long an intruder sits inside before anyone notices. The DragonForce crew’s dwell time was months. Every day of it was a day to steal more, reach further, and dig in deeper.

The second is recovery time — how long it takes to get them out and put things right once you do notice.

Here is the quiet truth: the same break-in does wildly different amounts of harm depending on those two numbers. Caught in an hour, an intrusion is an incident. Caught in a month, it is a catastrophe. The attacker’s skill at getting in matters far less than your speed at seeing them once they’re there.

Resilience is a different shape than strength

This is the move from strength to resilience, and they are not the same thing.

Strength resists. It tries to make the bad thing impossible, and it measures itself by how high the wall stands. Resilience assumes the bad thing will sometimes happen, and measures itself by how small and short the harm is when it does. Strength bets everything on the edge holding. Resilience accepts the edge will be crossed and invests in the middle and the after.

You can feel the difference in where the money goes. A strength budget buys a taller wall. A resilience budget buys the things that shorten the two clocks: people and systems that watch the inside, not just the perimeter; the habit of assuming any one account might already be compromised; the drills that make recovery fast instead of frantic. None of it stops the first break-in. All of it shrinks what the break-in becomes.

Why the inside is so hard to watch

There is a reason the inside gets neglected, and the lead story shows it. A backdoor hiding in Teams traffic does not need to be clever enough to beat every alarm. It only needs to blend into the flood.

Security teams are short-staffed and buried. Surveys this week found that the single biggest drain on their time is chasing false alarms and working out which warnings are even real. When everything inside is noisy, a quiet intruder who looks normal is safe almost by default. The wall is visible and satisfying to fund. The patient work of watching the interior is invisible until the day it saves you — and so it is the first thing skipped.

What this is really about

The instinct to build a perfect wall is not foolish. It is human. We would all rather the bad thing never happen than plan for the day it does. But a defence that only knows how to keep things out has no answer for the moment something gets in — and for anything worth attacking, that moment comes.

This is not only a security idea. A business that has never rehearsed a failure, a family that has no plan for the emergency, a system that assumes nothing will ever break — each is betting everything on an edge that holds forever. The wiser posture is humbler. It admits it cannot see every threat or stop every one, and it asks a smaller, truer question instead: when something gets through, how fast will I know, and how fast can I recover? You are inside that system too. The wall was never the whole of your safety — the clock was.

03 · Lab · your turn

The Two Clocks

Split a security budget between a taller wall and faster detection, and feel how dwell time, not the wall, decides the damage.

04 · Hope · carry this

The move from chasing a perfect wall to getting good at recovery is quiet, hard-won progress: a whole field trading the comfort of feeling impenetrable for the harder honesty of bouncing back fast. We are safer not because the threats shrank, but because we stopped pretending we could see everything coming.

More from Cybersecurity

The FBI says crypto scammers now send couriers to your door for cash Chinese spies sat inside a research-data platform for over two years — and it touched medicine, the military, and beyond The FBI seized the factory behind a million scam links — not the scammers, the machine they all rented

Across the beats

Grain prices spent months climbing. Then they fell off a cliff in weeks. Why a losing baseball team gets bolder as the trade deadline nears EA opens an ad business while Microsoft admits it gave Xbox away