Fortinet FortiSandbox and Teams Relays Under Siege: New Malware Tactics Raise the Stakes

Attackers are actively exploiting multiple Fortinet FortiSandbox vulnerabilities, with Defused Cyber reporting observed use of CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 within the past 24 hours, while only one issue was patched last week. The reporting frames this as a fast-moving exploitation cycle where defenders may still be catching up on patch coverage and detection logic. In parallel, the DragonForce ransomware group is using Microsoft Teams relay infrastructure as a camouflage layer for command-and-control traffic, deploying custom malware dubbed Backdoor.Turn. Separately, researchers at ESET flagged Windows variants of a China-linked SprySOCKS backdoor, expanding what was previously believed to be Linux-only tooling into driver-based stealth modes. Taken together, the cluster points to a coordinated trend: attackers are blending sandbox escape and post-exploitation persistence with abuse of legitimate enterprise collaboration infrastructure. Geopolitically, this matters because cyber operations increasingly target the trust fabric of multinational organizations—security appliances, endpoint/driver stacks, and widely deployed SaaS relays—rather than isolated endpoints. The likely beneficiaries are threat actors seeking faster dwell times, lower detection rates, and more reliable command-and-control paths, while defenders face a widening gap between patching cadence and adversary adaptation. China-linked attribution in the SprySOCKS reporting adds an additional strategic dimension, suggesting state-aligned tradecraft may be migrating across platforms and stealth layers. The net effect is a higher probability that incidents will spill into critical sectors that rely on Fortinet security tooling and Microsoft 365/Teams workflows. Market and economic implications are primarily indirect but potentially material for cyber risk pricing and enterprise IT spending. Security vendors and incident-response providers may see demand acceleration as customers rush to validate exposure to FortiSandbox CVEs and to harden Teams relay egress patterns, supporting sentiment for endpoint and network security budgets. Conversely, enterprises using Fortinet FortiSandbox and Microsoft Teams relays could face near-term operational costs from emergency patching, log review, and containment, which can pressure IT services margins and increase insurance claims activity. While the articles do not cite specific commodity or FX moves, the most immediate “market” signal is likely in cyber-insurance underwriting posture and in the relative performance of cybersecurity equities tied to detection, EDR, and threat intelligence. If exploitation remains sustained over days, the risk premium for managed security services and SOC staffing typically rises, with knock-on effects for cloud security tooling and SIEM licensing. What to watch next is whether Fortinet customers see continued scanning and exploitation attempts tied to the unpatched CVEs, and whether threat intel firms publish indicators of compromise that map to specific FortiSandbox versions and configurations. For the DragonForce case, key triggers include evidence of Teams relay abuse expanding beyond the reported malware and whether defenders can reliably distinguish legitimate Teams traffic from C2 encapsulation. For SprySOCKS, the critical monitoring point is the rollout of additional Windows variants beyond WIN_DRV and WIN_PLUS, especially those that leverage driver-based stealth and persistence mechanisms. In the coming 24–72 hours, escalation risk rises if organizations report successful intrusions or lateral movement following sandbox exploitation, while de-escalation would be indicated by patch uptake, reduced exploit telemetry, and improved detections for Teams relay anomalies. Executives should prioritize patch verification, egress controls around collaboration relays, and rapid endpoint/driver integrity checks tied to the newly described backdoor families.

Geopolitical Implications

• 01

  Cyber operations increasingly target enterprise trust layers, enabling faster compromise across multinational organizations.

• 02

  China-linked tradecraft appears to be migrating from Linux tooling to Windows driver-based stealth, raising long-term persistence risk.

• 03

  Ransomware using legitimate SaaS infrastructure can reduce attribution confidence and slow cross-border incident coordination.

Key Signals

• —Sustained exploitation attempts for CVE-2026-39813/39808/25089 after patch cycles.
• —Defender reports of Teams relay egress anomalies tied to Backdoor.Turn.
• —New SprySOCKS Windows variants beyond WIN_DRV and WIN_PLUS, especially with additional persistence mechanisms.
• —Fortinet and threat-intel updates with version-specific mitigations and detection rules.