THREAT ACTOR

DragonForce

7.8
THREAT LEVEL
EMERGENCE DATE
Aug 2023
CATEGORY
Selective Affiliate Model
Infrastructure Service Provider
AFFILIATIONS

Scattered Spider (UNC3944), Former LockBit Affiliates

DEscription

DragonForce has emerged as one of the more active Selective Ransomware-as-a-Service operations of 2024-2025, evolving from hacktivist origins to a revolutionary cartel platform model that represents a paradigm shift in the threat landscape.
Operating as both a Selective RaaS and Infrastructure Service Provider, the group maintains a dual-variant architecture using both LockBit 3.0 and Conti V3 builders, while offering unprecedented affiliate incentives through their 80/20 revenue split and white-label infrastructure services.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS) / Cartel Model

DragonForce pioneered the Selective Ransomware-as-a-Service model in March 2025, establishing partnerships with Scattered Spider (UNC3944) for social engineering campaigns and actively recruiting former LockBit affiliates following law enforcement disruptions. As an Infrastructure Service Provider, the cartel model provides white-label ransomware infrastructure and branding services, allowing vetted client groups to operate seemingly independent operations while leveraging shared tools and infrastructure. This approach offers unprecedented affiliate incentives through their 80/20 revenue split model while maintaining operational restrictions prohibiting attacks on CIS nations and former Soviet Union countries as a standard operational security measure.

Current Status: Actively operational with over 150 confirmed victims as of May 2025

Threat Level:
7.8

Origins and Methodology

DragonForce's reputation in the ecosystem stems from their innovative business model. The group pioneered the ransomware cartel concept in March 2025, offering white-label branding services that allow affiliates to create customized ransomware operations while leveraging infrastructure.

What is the Evolution of DragonForce Ransomware?
0.1
Formation

Origins trace to May 2021 when DragonForce Malaysia emerged as a hacktivist collective targeting government agencies across the Middle East and Asia. The transformation from ideological motivations to financially motivated ransomware operations began in early 2023, with the Malaysian group publicly denying association with the ransomware variant.

0.2
EVOLUTION

Strategic adaptation to the evolving threat landscape characterizes its evolution. Initial operations used a leaked LockBit 3.0 builder starting in August 2023, establishing basic ransomware capabilities. By July 2024, they introduced a customized Conti V3 variant with enhanced encryption and evasion techniques. The March 2025 transformation to a cartel model represents their most significant evolution.

0.3
Lineage/Connections

Technical analysis confirms direct connections to established ransomware families through code reuse and builder exploitation. The group maintains operational ties to Scattered Spider and actively recruits from disbanded operations including LockBit affiliates.

Which Unique Techniques Does DragonForce Use?

TECHNIQUE

DETAILS

Infection Vectors

Primarily exploits Remote Monitoring and Management (RMM) software vulnerabilities, particularly targeting SimpleHelp through CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726.

The group also employs phishing campaigns, social engineering through voice calls (vishing), and exploitation of public-facing applications.

Target Selection

The group demonstrates strategic targeting focused on organizations with high operational dependencies and substantial revenue. Manufacturing represents their most frequently targeted sector due to just-in-time supply chain vulnerabilities.

Victims are prioritized based on cyber insurance coverage assessment, regulatory compliance requirements, and operational impact potential.

Operational Complexity

DragonForce exhibits high operational sophistication through their multi-platform capabilities (Windows, Linux, ESXi), advanced evasion techniques including BYOVD (Bring Your Own Vulnerable Driver), and professional affiliate support infrastructure.

Key Features & Technical Details

High operational maturity through their multi-platform capabilities and professional affiliate support infrastructure. The threat actor shows strong capabilities across multiple operating systems and environments.

FEATURE

DETAILS

Encryption Methods

Dual encryption approach: ChaCha8 (primary) and AES-256 (secondary) with RSA for key exchange

Double Extortion Tactics

Pre-encryption data exfiltration with threats of public disclosure, regulatory notification, and customer contact

Cross-Platform Capabilities

Supports Windows, Linux, ESXi, NAS, and BSD systems with platform-specific payloads

Monetization Strategies

80/20 revenue split (80% to affiliates), accepts Bitcoin, Monero, and Ethereum payments

Communication Methods

Tor-based negotiation portals, DragonLeaks data leak site, professional negotiation tools

Behavioral Patterns

Avoids CIS nations, maintains operational restrictions on certain targets, professional business approach

Activities

DragonForce maintains one of the highest operational tempos in the ransomware ecosystem with over 150 confirmed victims.

Which Industries Are Most Vulnerable to DragonForce?

Manufacturing organizations face the highest risk due to operational dependencies on continuous production. Real estate companies represent the second most targeted sector. Retail operations experienced high-profile attacks in the UK market during April-May 2025. The group has also targeted healthcare organizations in several confirmed incidents.

HAL Most Recent Attacks

Modus Operandi

Employs a multi-stage attack methodology that combines technical exploitation with social engineering. The group's approach leverages both automated tools and manual techniques to maximize success rates while maintaining operational security.

Details

Exploitation of SimpleHelp RMM vulnerabilities (CVE-2024-57727). Spearphishing with malicious attachments. Valid account compromise through credential theft. Voice phishing targeting IT help desks.

Details

Automated network scanning for vulnerable systems. Identification of high-value targets and cyber insurance policies. Mapping of Active Directory infrastructure.

Details

SystemBC backdoor deployment for persistent access. Cobalt Strike beacon installation. Custom GoLang-based tools for operational flexibility.

Details

Windows Event Log clearing (T1070.001). Antivirus and EDR disabling (T1562.001). BYOVD technique using vulnerable drivers. Stack string obfuscation and dynamic DLL loading.

Details

Credential harvesting using Mimikatz. LSASS memory dumping. Kerberoasting attacks against service accounts.

Details

Tor-based C2 infrastructure. Domain fronting techniques. Encrypted command channels through SystemBC.

Details

RDP exploitation for internal propagation. SMB relay attacks. WMI and PowerShell remoting.

Details

Custom GoLang-based tool "winupdate.exe". Automated file discovery and staging. Prioritization of intellectual property and financial data. Encrypted tunneling through SystemBC.

Details

Registry Run key modifications (T1547.001). Scheduled task creation (T1053.005). Windows service manipulation (T1543.003). Boot or logon autostart execution.

Details

System-wide encryption causing operational disruption. Data theft threatening regulatory compliance. Reputational damage through public disclosure. Supply chain disruption in manufacturing targets.

Details

ChaCha8 encryption with selective percentage based on file type. Multi-threaded encryption for speed. Secure deletion of Volume Shadow Copies.

Details

Ransom note deployment "README.txt". Data leak site threats with countdown timers. Multi-channel extortion including media contact. Professional negotiation through Tor portals.

Details

Removal of forensic artifacts. Log file deletion. Disabling of system restore points.

Indicators of Compromise (IOCs)

INDICATOR

DETAILS

File Hashes

df903c620508011ca8eb2aaaf9712a526b31a12c800b856cd524ebb3fde854b2 - DragonForce executable
55befb5de5d9bc45978efd1a960ae21ed81e4be9c6521aaeebf8d5884444e3c9 - DragonForce variant
572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b - DragonForce payload
1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b - DragonForce sample

IP Addresses

185.73.125.8 - Primary C2 beacon
94.232.46.202 - SystemBC C2 server
69.4.234.20 - DragonForce infrastructure
185.59.221.75 - Network infrastructure

Domains/URLs

dragonforce[.]net - Primary C2 domain
dfc2[.]info - Secondary C2 domain
z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid[.]onion - Tor address

File Paths

C:\\Users\\Public\\log.log - Encrypted activity log
C:\\Users\\Public\\Documents\\Winupdate.exe - Exfiltration tool
C:\\ProgramData\\DragonForce\\README.txt - Ransom note

Exploits and Vulnerabilities

DragonForce actively exploits known vulnerabilities in Remote Monitoring and Management software, particularly focusing on SimpleHelp implementations. These vulnerabilities enable initial access and privilege escalation.

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

SimpleHelp Path Traversal

CVE-2024-57727

7.5

Allows unauthenticated attackers to download arbitrary files

SimpleHelp File Upload

CVE-2024-57728

7.2

Zip slip vulnerability enabling remote code execution

SimpleHelp Privilege Escalation

CVE-2024-57726

9.9

Low-privileged users can create excessive API permissions