DragonForce represents a sophisticated and rapidly evolving ransomware operation that has emerged as a significant threat in the cybersecurity landscape since late 2023.
Operating under a Ransomware-as-a-Service (RaaS) model, this group has demonstrated exceptional adaptability by leveraging leaked ransomware builders from notorious families like LockBit 3.0 and Conti to create customized attack variants.
The organization has successfully targeted high-profile victims across multiple sectors, including government entities, retail giants, and critical infrastructure, with notable attacks against the Ohio Lottery, Palau government, and major UK retailers like Marks & Spencer.
Their operations combine advanced technical capabilities with professional business practices, offering affiliates up to 80% of ransom payments while providing comprehensive attack infrastructure and support services.
Introduction to DragonForce Ransomware
DragonForce first appeared in December 2023 with the launch of their “DragonLeaks” dark web portal, quickly establishing themselves as a formidable player in the ransomware ecosystem.
The group’s origins trace back to possible connections with DragonForce Malaysia, a hacktivist collective, though the current operation has evolved into a purely profit-driven enterprise.
By 2025, DragonForce has matured into a sophisticated RaaS platform that attracts both displaced affiliates from dismantled ransomware operations and freelance threat actors seeking robust infrastructure.
The organization operates two distinct ransomware variants based on leaked source code from established families. Their initial variant utilized the leaked LockBit 3.0 (Black) builder, allowing them to rapidly deploy effective ransomware without developing complex encryption mechanisms from scratch.
In July 2024, DragonForce introduced a second variant based on the Conti V3 codebase, providing affiliates with enhanced customization capabilities. This dual-variant approach demonstrates the group’s technical sophistication and commitment to providing affiliates with diverse attack options.
The group’s business model reflects modern cybercrime trends, offering a comprehensive platform that includes attack management tools, automated features, and customizable builders.
Affiliates can tailor ransomware samples by disabling targeted security features, configuring encryption parameters, and personalizing ransom notes.
In early 2025, DragonForce expanded its offerings by introducing a white-label ransomware service, enabling affiliates to rebrand payloads under alternative names for additional fees.
Attack Vectors and Initial Access Techniques
DragonForce employs multiple sophisticated vectors to achieve initial access to target networks, demonstrating the group’s understanding of diverse organizational vulnerabilities.
Phishing campaigns remain a primary attack vector, with operators crafting convincing spear-phishing emails containing malicious attachments or links that deploy ransomware payloads when executed by unsuspecting users.
These campaigns often target specific individuals within organizations using social engineering techniques to increase success rates.
Exploitation of known vulnerabilities represents another critical attack vector, with DragonForce operators actively targeting unpatched systems.
The group has specifically been associated with exploiting several high-impact vulnerabilities, including CVE-2021-44228 (Log4Shell), CVE-2023-46805 (Ivanti Connect Secure Authentication Bypass), CVE-2024-21412 (Microsoft Windows SmartScreen Bypass), CVE-2024-21887 (Ivanti Connect Secure Command Injection), and CVE-2024-21893 (Ivanti Connect Secure Path Traversal).
DragonForce affiliates systematically target organizations with poorly secured remote access infrastructure, leveraging stolen or weak credentials to establish a persistent network presence.
The group also exploits trusted relationships, as demonstrated in a recent incident where attackers gained access through remote management software installed by a previous hosting company that was never properly removed.
In some cases, DragonForce operators have gained initial access by exploiting compromised managed service provider (MSP) relationships, allowing them to move laterally across multiple client environments through trusted connections.
This technique amplifies the impact of individual breaches by providing access to numerous organizations through a single compromise point.
Remote Desktop Protocol (RDP) and VPN attacks constitute significant initial access methods, with operators conducting credential stuffing attacks and brute-force operations against exposed services.
Tactics, Techniques, and Procedures (TTPs)
DragonForce’s operational methodology follows the MITRE ATT&CK framework across multiple tactics, demonstrating a sophisticated understanding of enterprise network compromise techniques.
| Initial Access | T1190 | Exploit Public-Facing Application | Exploits CVE-2021-44228 (Log4Shell), CVE-2023-46805, CVE-2024-21412, CVE-2024-21887, CVE-2024-21893 | High | Medium |
| Initial Access | T1078 | Valid Accounts | Uses stolen/weak RDP and VPN credentials, brute force attacks on remote access services | High | Low |
| Initial Access | T1566.001 | Spearphishing Attachment | Deploys ransomware through malicious email attachments targeting specific individuals | High | Medium |
| Initial Access | T1566.003 | Spearphishing via Service | Conducts vishing (voice phishing) campaigns alongside email phishing | Medium | High |
| Initial Access | T1199 | Trusted Relationship | Exploits compromised MSP relationships and previous hosting company access | Medium | High |
| Execution | T1204.002 | Malicious File | Social engineering users to execute ransomware payloads, moves files to System32 | High | Low |
| Execution | T1059.001 | PowerShell | Uses PowerShell for command execution, payload deployment, and system reconnaissance | High | Medium |
| Execution | T1053.005 | Scheduled Task/Job | Creates scheduled tasks for persistence and automated execution | Medium | Low |
| Persistence | T1574.011 | Services File Permissions Weakness | Installs AnyDesk remote access tool for persistent backdoor access | High | Medium |
| Persistence | T1053.005 | Scheduled Task/Job | Establishes scheduled tasks to maintain persistence across reboots | Medium | Low |
| Persistence | T1547.001 | Registry Run Keys / Startup Folder | Modifies registry Run keys to ensure malware execution at startup | Medium | Low |
| Privilege Escalation | T1134 | Access Token Manipulation | Duplicates SYSTEM-level access tokens using DuplicateTokenEx() API | High | High |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | Leverages known vulnerabilities for escalation to administrator privileges | Medium | Medium |
| Defense Evasion | T1027 | Obfuscated Files or Information | Embeds Chinese text signatures, uses code obfuscation techniques | High | High |
Indicators of Compromise (IoCs)
Security teams should monitor for specific indicators associated with DragonForce campaigns to enable early detection and response.
Network indicators include command and control server IP addresses: 2[.]147[.]68[.]96, 185[.]59[.]221[.]75, and 69[.]4[.]234[.]20. Notably, early campaign infrastructure was identified in Iran, suggesting international collaboration or infrastructure rental.
| IoC Type | Indicator | Description | Threat Level | Detection Method |
|---|---|---|---|---|
| IP Address (C&C) | 2.147.68.96 | Command and Control server | High | Network monitoring, firewall logs |
| IP Address (C&C) | 185.59.221.75 | Command and Control server | High | Network monitoring, firewall logs |
| IP Address (C&C) | 69.4.234.20 | Command and Control server | High | Network monitoring, firewall logs |
| File Hash (SHA256) | b9bba02d18bacc4bc8d9e4f70657d381568075590cc9d0e7590327d854224b32 | DragonForce ransomware executable hash | Critical | File integrity monitoring, antivirus |
| File Hash (SHA256) | ba1be94550898eedb10eb73cb5383a2d1050e96ec4df8e0bf680d3e76a9e2429 | DragonForce payload hash | Critical | File integrity monitoring, antivirus |
| File Hash (SHA256) | d626eb0565fac677fdc13fb0555967dc31e600c74fbbd110b744f8e3a59dd3f9 | DragonForce variant hash | Critical | File integrity monitoring, antivirus |
| File Path | C:\Users\Public\Documents\Winupdate.exe | Exfiltration tool location | High | File system monitoring, EDR |
| File Path | C:\Windows\System32\Winupdate.exe | Alternative exfiltration tool path | High | File system monitoring, EDR |
| File Path | C:\Users\Public\log.log | System information log file | Medium | File system monitoring |
| File Path | C:\Windows\System32\ | Common payload deployment directory | Medium | Directory monitoring |
| Filename | Winupdate.exe | Data exfiltration utility (GoLang) | High | Process monitoring, EDR |
| Filename | FileSeek.exe | File discovery reconnaissance tool | Medium | Process monitoring |
| Filename | README.txt | Ransom note filename | Low | File system monitoring |
| Filename | SystemBC | SOCKS5 backdoor for persistence | High | Network monitoring, process monitoring |
| File Extension | .dragonforce_encrypted | Encrypted file extension | Medium | File system monitoring |
| Domain (.onion) | z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion | DragonLeaks leak site | High | Network monitoring, DNS logs |
| Domain (.onion) | 3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion | Alternative leak site domain | High | Network monitoring, DNS logs |
The Marks & Spencer incident in April 2025 caused estimated losses of £300 million and months-long operational disruption, with attackers sending direct emails to the CEO demanding ransom payments.
These cases illustrate DragonForce’s capability to target both government infrastructure and private sector organizations with devastating effectiveness, emphasizing the critical need for comprehensive cybersecurity measures and incident response planning.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
