MalwareRansomwareUsed by 1 actor

Dragon Force

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Scattered Spider

A cybercriminal known as Octo Tempest used Dragon Force, RansomHub and Qilin ransomware strains throughout the year...

via the record mediatherecord.media

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Impact

2 techniques

T1486Data Encrypted for ImpactEvidence1

Some ransomware operators do not allow targeting (encrypting and exfiltrating data) of non-profit organizations, healthcare, and government entities...

T1491.001Internal DefacementEvidence1

On March 18, 2025, Dragon Force Ransomware Group announced that it was operating as the Dragon Force ransomware cartel, and 24 hours later, it was observed conducting DDoS attacks and defacements against competitors’ extortion websites, such as BlackLock Blog and Mamona Blog.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

recorded future blogNews

Oct 23, 2025

Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals

Ransomware group/cartel discussed as engaging in rivalry, possible attacks on competitor infrastructure, and expansion under the DragonBay concept.

the record mediaNews

Oct 16, 2025

Microsoft warns of a 32% surge in identity hacks, mainly driven by stolen passwords

Ransomware strain used by affiliates in ransomware-as-a-service operations.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.