CVE-2023-52271
published 2024-01-08CVE-2023-52271: The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which will…
PriorityP278medium6.5CVSS 3.1
AVLACLPRLUINSCCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.33%
24.3th percentile
The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which will be named at a later time).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| topazevolution | antifraud | <= 2.0.0.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for wsftprm.sys (Topaz Antifraud kernel driver v2.0.0.0) being loaded by low-privileged processes; its IOCTL interface is abused to kill Protected Process Light (PPL) processes as a BYOVD technique. ↗
- →Hunt for DLL sideloading via a ZIP archive containing a legitimate VirtualBox/DbgView executable paired with a malicious DLL; subsequent injection into DbgView64.exe is a strong indicator of Backdoor.Turn deployment. ↗
- →Monitor for abuse of the LimitBlankPassword security policy and unexpected firewall rule modifications, which were used by DragonForce actors to strengthen persistence after initial access. ↗
- ·The specific IOCTL code used by wsftprm.sys to kill PPL processes has not yet been publicly disclosed at time of reporting. ↗
- ·The initial access vector (SQL/MSSQL exploitation) is unconfirmed; access via an initial access broker (IAB) is also considered possible, limiting pre-compromise detection specificity. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r67f-8hjg-55w3: The wsftprm
ghsa_unreviewed·2024-01-08
CVE-2023-52271 [MEDIUM] GHSA-r67f-8hjg-55w3: The wsftprm
The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which will be named at a later time).
VulnCheck
topazevolution antifraud Vulnerability
vulncheck·2023·CVSS 6.5
CVE-2023-52271 [MEDIUM] topazevolution antifraud Vulnerability
The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which will be named at a later time).
Affected: topazevolution antifraud
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor
Exploit PoC: https://vulncheck.com/xdb/04e01c049730
No detection rules found.
No public exploits indexed.
Hackernews
DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
blogs_hackernews·2026-06-18
CVE-2023-52271 DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure.
According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was not disclosed.
"Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN
Bleepingcomputer
Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
blogs_bleepingcomputer·2026-06-16
CVE-2023-52271 Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
## Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
## Bill Toulas
DragonForce ransomware used a custom malware named 'Backdoor.Turn' to hide command-and-control traffic inside Microsoft Teams relay infrastructure.
The backdoor abuses the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to distribute messages when a direct connection to the client is unavailable (e.g., clients on a private network).
DragonForce is a ransomware operation active since at least 2023, that adopted a cartel-style organizational structure and has been linked to the infamous Scattered Spider threat group.
According to researchers at the cybersecurity company Symantec, the hackers used custom Go-based malware in an attack against a major U.S. services company.
2024-01-08
Published
Exploited in the wild