DragonForce Ransomware Leverages SimpleHelp Exploits to Hit MSPs

A recent cyberattack has highlighted the vulnerabilities inherent in remote monitoring and management (RMM) platforms, ThreatsBank reports.

Threat actors associated with the DragonForce ransomware group exploited known flaws in SimpleHelp, a widely used RMM tool, to compromise a Managed Service Provider (MSP) and its downstream clients.

The attackers utilized the MSP’s legitimate SimpleHelp instance to deploy a malicious installer, serving as a launch point to infiltrate customer networks. Once inside, they extracted sensitive data, including device metadata, user information, and network configurations across multiple organizations managed by the MSP. The attack employed double extortion tactics, combining data exfiltration with ransomware threats to pressure victims.Researchers believe the intrusion began with a chained exploitation of vulnerabilities disclosed earlier in 2025:

• CVE-2024-57727: Path traversal flaws allowing attackers to access unintended files.

• CVE-2024-57728: Arbitrary file upload vulnerability.

• CVE-2024-57726: Privilege escalation issue enabling attackers to gain elevated access.

These flaws were weaponized in a coordinated campaign that successfully compromised several client environments lacking advanced threat detection capabilities.

Takeaway: The DragonForce hit on MSPs via SimpleHelp exploits isn't your garden-variety ransomware stunt, it’s a masterclass in weaponizing trust and turning the tools meant to protect us into serious risk exposure.

"Supply chain attacks are already a nightmare—one vendor gets popped, and suddenly hundreds of downstream businesses are scrambling," Jon Miller, CEO and co-founder of Halcyon told told The Register. "But when the target is an MSP, and the weapon is their own RMM software? That’s a whole new level of chaos."

MSPs are the connective tissue of modern IT. They hold the keys to the kingdom for dozens, sometimes hundreds, of clients, Miller explained.

"When DragonForce exploited SimpleHelp’s vulnerabilities, they didn’t just breach a single organization; they hijacked a distribution system."

They used legitimate remote access to push malware, exfiltrate data, and detonate ransomware across multiple environments. It’s like tricking the post office into delivering bombs.

This isn’t just about technical flaws; it’s about the erosion of trust. When the tools designed to secure and manage infrastructure become the attack vector, it shakes the very foundation of cybersecurity.

DragonForce isn’t some script kiddie operation. They’re running a sophisticated RaaS model, offering affiliates customizable payloads, advanced evasion techniques, and a playbook that includes log-wiping and security tool disablement.  

They’re not just encrypting data; they’re exfiltrating it, leveraging double extortion, and leaving victims with no good options.

The lesson here? Security isn’t just about protecting your own perimeter anymore. It’s about scrutinizing every link in your supply chain, every tool in your stack, and every partner in your ecosystem.

In cybersecurity, trust is a vulnerability, and when trust is exploited, the fallout could be exponential.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.