Backdoor.Turn Got the Headlines. convoC2 Is the Version Anyone Can Run.

When a North Korean implant called Backdoor.Turn surfaced, the headline was the attribution: a state actor routing command-and-control through Microsoft Teams and going undetected for around two months. Patrick Duggan’s read of the situation is sharper, and it is the part most coverage skipped: the nation-state angle is the least durable thing about the story. The technique underneath it is now open source, and anyone can run it.

That open-source version is convoC2, a Go-based framework published on GitHub. It does exactly what the DPRK’s custom Rust implementation did, with none of the development cost and none of the exclusivity. The capability that earned a state actor a months-long foothold is now a free download.

Why Teams relay C2 is so hard to see

Modern collaboration tools use TURN (Traversal Using Relays around NAT) servers to punch through corporate firewalls so two clients can reach each other. Microsoft Teams runs its own TURN relay infrastructure, hosted on Microsoft’s own IP space. convoC2 abuses that infrastructure directly: it routes QUIC-encrypted C2 traffic through the Teams TURN relays, so to any network monitor the session originates from Microsoft and rides the same protocol as a legitimate call.

Duggan’s summary is the cleanest framing of it: this is C2 traffic that looks like Teams traffic because it is Teams traffic. That single property defeats three perimeter defenses at once:

• IP reputation never fires, because the traffic comes from Microsoft addresses that no feed will ever flag as malicious.
• Protocol anomaly detection never fires, because QUIC to a Teams relay is exactly what Teams is supposed to do.
• Domain blocking never fires, because there is no attacker domain in the path to block.

To stand it up, an operator needs little more than a GitHub account, a Teams tenant, and a visitor token issued by Microsoft’s identity services. That is the entire barrier to entry.

The commoditization curve nobody patches for

Duggan places convoC2 on a pattern he has tracked across several techniques, and it is the real lesson here. An advanced capability gets used quietly, then gets attributed to a nation-state and makes headlines, then shows up as an open-source project, then gets adopted by ordinary criminals who were never the subject of any advisory. We saw it with AsyncRAT relayed through Cloudflare Workers, and with C2 hidden inside blockchain canisters on the Internet Computer. Teams relay C2 is now walking the same path.

The trap is that defenders update their posture around the nation-state indicators, the specific Backdoor.Turn hashes and infrastructure, and consider the matter closed. But the technique predates the public attribution, and the commodity version does not share any of those indicators. You can be fully patched against the headline and wide open to the GitHub clone.

It is already in criminal hands

This is not theoretical. The convoC2 trail led researchers to a German-and-Austrian fraud operator running a full criminal stack: marketplace-scraping tools aimed at sites like Willhaben and Inseriate, fake-shop infrastructure, a mobile exploit chain, and a Discord server bluntly named “fakeshops” for coordinating device compromise and credential and session theft at scale. The same actor was tied to a Telnetd root-shell flaw, CVE-2026-24061, used as one of the device-compromise vectors. This is a commodity fraud crew, not a government program, and it already had the Teams-relay technique in its kit.

Where the detection actually lives

Because nothing useful is visible at the network edge, every viable detection moves to the endpoint. Duggan points at three signals, and all three depend on host-level telemetry:

• Process-to-relay anomaly. A TURN relay session to a Microsoft Teams server is normal when the Teams client opens it. The same session opened by any other process is the tell. Baseline which executables are allowed to talk to Teams relays, and alert on the rest.
• Visitor-token issuance. Watch endpoint HTTPS telemetry for Teams visitor-token requests to Microsoft identity services that originate outside the Teams application. A token minted by something that is not Teams is a strong indicator.
• Session-baseline deviation. Persistent QUIC sessions to Microsoft TURN IP ranges that fall outside a user’s normal Teams usage pattern, for example long-lived connections with no meeting activity around them, are worth flagging.

What to do about it

1. Get endpoint detection coverage on every host that runs Teams, and confirm it can attribute network sessions to the originating process. That process-to-connection link is the whole game here.
2. Baseline legitimate Teams behavior so a non-Teams process reaching a Teams relay, or a visitor token minted outside the client, stands out instead of blending in.
3. Stop treating Microsoft IP space as inherently safe. Trusted-infrastructure abuse is the entire point of this class of technique, and an allowlist that waves through everything from a major cloud is exactly the assumption it exploits.
4. Hunt on the technique, not the actor. Backdoor.Turn indicators will not catch the convoC2 clone. Detection logic written around the behavior, a relay session from the wrong process, survives the next reskin.

Full credit for the reframe and the technical read goes to Patrick Duggan’s analysis. Go read the original, and connect with him on LinkedIn.