Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actorExploits 11 CVEs

DragonForce Ransomware

DragonForce ransomware is a ransomware family operated in a Ransomware-as-a-Service (RaaS) model and used to infiltrate victim networks, encrypt data, and demand ransom; reporting also describes associated data exfiltration and multi-extortion via a leak site (“RansomBay”). It has been reported as deployed by the cybercriminal group Scattered Spider (aka UNC3944/Octo Tempest/Storm-0875/Muddled Libra, among other aliases) in activity covered by a July 29, 2025 joint FBI/CISA/RCMP/ASD-ACSC/AFP/CCCS/NCSC-UK advisory, where Scattered Spider commonly uses sophisticated social engineering (helpdesk/IT impersonation, MFA fatigue/push bombing, SIM swapping) and legitimate remote access/tunneling tools to gain and maintain access before theft/extortion and potential encryption.

Separately, DragonForce is described in vendor reporting (e.g., SentinelOne; Acronis referenced) as having evolved from a LockBit 3.0/Black-style clone into a bespoke encryptor derived from the Conti v3 codebase, using AES and increasingly ChaCha8 for encryption. The operation is described as supporting multiple platforms (Windows, Linux, ESXi, and NAS-focused variants) and offering affiliate customization via a web panel (e.g., file extensions, execution delays, encryption scope/behavior). DragonForce has been reported targeting a wide range of sectors and geographies, including major UK retailers (e.g., Harrods, Marks & Spencer, Co-Op) and other organizations; one account of UK retail intrusions emphasizes initial access via vishing/helpdesk password resets, followed by privilege escalation, defense evasion (disabling EDR/AV), ransomware deployment across endpoints, and exfiltration causing significant operational disruption. Possible links to “The Com” collective are mentioned but described as unconfirmed/inconclusive in the provided content. No specific file hashes, domains, or other concrete IOCs for the ransomware binary itself are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

11 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

11 CVES
CVE-2025-1055Improper Authorization in K7 Security K7RKScan.sys IOCTL HandlerExploited in the wild

Researchers said the attackers used a new tool called Havoc Process Terminator to exploit a Huawei audio driver, tracked as HWAudioOs2Ec.sys. They also exploited three documented driver vulnerabilities CVE-2023-52271 in Topaz Antifraud, CVE-2025-61155 in Tower of Fantasy, and CVE-2025-1055 in K7 Security Anti-Malware.

via hackreadhackread.com
CVE-2023-52271Arbitrary PPL Process Termination in Topaz Antifraud wsftprm.sysExploited in the wild

Researchers said the attackers used a new tool called Havoc Process Terminator to exploit a Huawei audio driver, tracked as HWAudioOs2Ec.sys. They also exploited three documented driver vulnerabilities CVE-2023-52271 in Topaz Antifraud, CVE-2025-61155 in Tower of Fantasy, and CVE-2025-1055 in K7 Security Anti-Malware.

via hackreadhackread.com
CVE-2025-61155Arbitrary Process Termination in Tower of Fantasy GameDriverX64.sysExploited in the wild

Researchers said the attackers used a new tool called Havoc Process Terminator to exploit a Huawei audio driver, tracked as HWAudioOs2Ec.sys. They also exploited three documented driver vulnerabilities CVE-2023-52271 in Topaz Antifraud, CVE-2025-61155 in Tower of Fantasy, and CVE-2025-1055 in K7 Security Anti-Malware.

via hackreadhackread.com
CVE-2024-57726SimpleHelp Missing Authorization Privilege EscalationExploited in the wild

Sophos MDR investigators believe the attackers exploited a chain of three critical vulnerabilities disclosed in January 2025: CVE-2024-57727 (multiple path traversal vulnerabilities), CVE-2024-57728 (arbitrary file upload vulnerability), and CVE-2024-57726 (privilege escalation vulnerability). ... CVE-2024-57726 enables low-privilege technicians to escalate to administrator roles with excessive permissions.

via cyber security newscybersecuritynews.com
CVE-2024-57727Unauthenticated Path Traversal in SimpleHelpExploited in the wild

Sophos MDR investigators believe the attackers exploited a chain of three critical vulnerabilities disclosed in January 2025: CVE-2024-57727 (multiple path traversal vulnerabilities), CVE-2024-57728 (arbitrary file upload vulnerability), and CVE-2024-57726 (privilege escalation vulnerability). ... CVE-2024-57727 allows unauthenticated attackers to download arbitrary files from SimpleHelp hosts, including server configuration files containing secrets and hashed passwords. ... The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-57727 to its Known Exploited Vulnerabilities Catalog, acknowledging active exploitation and requiring federal agencies to patch by March 6, 2025.

via cyber security newscybersecuritynews.com
CVE-2024-57728SimpleHelp Zip Slip Arbitrary File Upload Leading to RCEExploited in the wild

Sophos MDR investigators believe the attackers exploited a chain of three critical vulnerabilities disclosed in January 2025: CVE-2024-57727 (multiple path traversal vulnerabilities), CVE-2024-57728 (arbitrary file upload vulnerability), and CVE-2024-57726 (privilege escalation vulnerability). ... CVE-2024-57728 permits authenticated administrators to upload malicious files anywhere on the system, potentially leading to remote code execution.

via cyber security newscybersecuritynews.com
CVE-2024-21887Command Injection in Ivanti Connect Secure and Policy Secure Web ComponentsExploited in the wild

Known Exploited Vulnerabilities table lists: CVE-2024-21887 – Command Injection Vulnerability – Ivanti Connect Secure and Policy Secure – CVSS 9.1.

via blackpoint cyberblackpointcyber.com
CVE-2024-21412Windows Internet Shortcut Files SmartScreen Security Feature BypassExploited in the wild

Known Exploited Vulnerabilities table lists: CVE-2024-21412 – Security Feature Bypass Vulnerability – Microsoft Windows Internet Shortcut Files – CVSS 8.1.

via blackpoint cyberblackpointcyber.com
CVE-2023-46805Authentication Bypass in Ivanti Connect Secure and Policy Secure Web ComponentExploited in the wild

Known Exploited Vulnerabilities table lists: CVE-2023-46805 – Authentication Bypass Vulnerability – Ivanti Connect Secure and Policy Secure – CVSS 8.5.

via blackpoint cyberblackpointcyber.com
CVE-2021-44228Log4ShellExploited in the wild

Known Exploited Vulnerabilities table lists: CVE-2021-44228 – RCE Vulnerability – Apache Log4j Java Library – CVSS 10.

via blackpoint cyberblackpointcyber.com
CVE-2024-21893SSRF in Ivanti Connect Secure/Policy Secure SAML ComponentExploited in the wild

Known Exploited Vulnerabilities table lists: CVE-2024-21893 – Server-Side Request Forgery (SSRF) Vulnerability – Ivanti Connect Secure, Policy Secure, and Neurons – CVSS 9.1.

via blackpoint cyberblackpointcyber.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Scattered Spider

Update July 29, 2025: Malware DragonForce Ransomware Use Infiltrates networks, encrypts data, and demands ransom.

via cisa advisoriescisa.gov
MITRE ATT&CK

Techniques & procedures

36 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1598Phishing for InformationEvidence1

The Scattered Spider case provides a practical example of the evolution of the cartel model. In multiple high-profile incidents ... intrusion activity attributed to Scattered Spider, characterized by advanced social engineering, helpdesk impersonation, and credential compromise, was followed by the deployment of DragonForce ransomware.

Initial Access

4 techniques
T1078Valid AccountsEvidence1

“Valid accounts, exploitation of external remote services, drive-by compromise, vulnerability exploitation, social engineering (MITRE ATT&CK: T1078, T1133, T1189, T1190, T1566)” and “gain persistence… by abusing valid accounts”

T1133External Remote ServicesEvidence1

“gained initial access via public-facing remote desktop servers…” and “External Remote Services (MITRE ATT&CK: T1133)”

T1189Drive-by CompromiseEvidence1

“drive-by compromise… (MITRE ATT&CK… T1189)”

T1566.004Spearphishing VoiceEvidence2

DragonForce’s partnership with such actors is likely driven by Scattered Spider’s known strong capabilities in vishing and social engineering, which enable reliable initial access into targeted organizations, complementing DragonForce’s focus on the downstream stages of the attack lifecycle.

Execution

6 techniques
T1053.005Scheduled TaskEvidence1

“Scheduled tasks… (MITRE ATT&CK: T1053…)” and “gain persistence… creating… scheduled tasks”

T1059.001PowerShellEvidence1

“powershell.exe -windowstyle hidden -Command & ‘path_to_executable_file’” and “T1059… .001: PowerShell”

T1059.003Windows Command ShellEvidence1

“cmd.exe /c … WMIC.exe shadowcopy … delete” and “T1059… .003: Windows Command Shell”

T1072Software Deployment ToolsEvidence1

Sophos MDR was first alerted when suspicious SimpleHelp installer files were detected being pushed through the legitimate RMM platform.

T1203Exploitation for Client ExecutionEvidence1

CVE-2024-57728 permits authenticated administrators to upload malicious files anywhere on the system, potentially leading to remote code execution.

T1204.002Malicious FileEvidence1

MITRE ATT&CK® Techniques ... Execution T1204.002 (User Execution) Malicious file.

Persistence

4 techniques
T1053.005Scheduled TaskEvidence1

“Scheduled tasks… (MITRE ATT&CK: T1053…)” and “gain persistence… creating… scheduled tasks”

T1078Valid AccountsEvidence1

“Valid accounts, exploitation of external remote services, drive-by compromise, vulnerability exploitation, social engineering (MITRE ATT&CK: T1078, T1133, T1189, T1190, T1566)” and “gain persistence… by abusing valid accounts”

T1133External Remote ServicesEvidence1

“gained initial access via public-facing remote desktop servers…” and “External Remote Services (MITRE ATT&CK: T1133)”

T1543.003Windows ServiceEvidence1

“creating new system processes” and “T1543… .003: Windows Service”

Privilege Escalation

5 techniques
T1053.005Scheduled TaskEvidence1

“Scheduled tasks… (MITRE ATT&CK: T1053…)” and “gain persistence… creating… scheduled tasks”

T1068Exploitation for Privilege EscalationEvidence1

Sophos MDR investigators believe the attackers exploited a chain of three critical vulnerabilities disclosed in January 2025: CVE-2024-57727 (multiple path traversal vulnerabilities), CVE-2024-57728 (arbitrary file upload vulnerability), and CVE-2024-57726 (privilege escalation vulnerability).

T1078Valid AccountsEvidence1

“Valid accounts, exploitation of external remote services, drive-by compromise, vulnerability exploitation, social engineering (MITRE ATT&CK: T1078, T1133, T1189, T1190, T1566)” and “gain persistence… by abusing valid accounts”

T1134Access Token ManipulationEvidence1

“Privilege Escalation… DuplicateTokenEx(); CreateProcessWithTokenW()” and “T1134: Access Token Manipulation”

T1543.003Windows ServiceEvidence1

“creating new system processes” and “T1543… .003: Windows Service”

Stealth

7 techniques
T1006Direct Volume AccessEvidence1

CVE-2024-57727 allows unauthenticated attackers to download arbitrary files from SimpleHelp hosts, including server configuration files containing secrets and hashed passwords.

T1027.002Software PackingEvidence1

“ADVobfuscator… obfuscate code and data” and “T1027… .002: Software Packing”

T1070.001Clear Windows Event LogsEvidence1

“T1070… .001: Clear Windows Event Logs”

T1070.004File DeletionEvidence2

Defense evasion techniques include termination of security processes, deletion of backups and shadow copies, and execution in background or detached modes to reduce visibility.

T1078Valid AccountsEvidence1

“Valid accounts, exploitation of external remote services, drive-by compromise, vulnerability exploitation, social engineering (MITRE ATT&CK: T1078, T1133, T1189, T1190, T1566)” and “gain persistence… by abusing valid accounts”

T1134Access Token ManipulationEvidence1

“Privilege Escalation… DuplicateTokenEx(); CreateProcessWithTokenW()” and “T1134: Access Token Manipulation”

T1564.003Hidden WindowEvidence1

“powershell.exe -windowstyle hidden -Command …” and “T1564… .003: Hidden Window”

Discovery

4 techniques
T1046Network Service DiscoveryEvidence1

The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections

T1082System Information DiscoveryEvidence2

The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration

T1083File and Directory DiscoveryEvidence1

MITRE ATT&CK® Techniques ... Discovery T1083 (File and Directory Discovery) Ransomware enumerates folders for file encryption and file deletion.

T1087Account DiscoveryEvidence1

The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections

Lateral Movement

3 techniques
T1021Remote ServicesEvidence2

The attack represents a significant supply chain compromise, where hackers gained access to an MSP’s SimpleHelp RMM platform and used it as a launching pad to target the provider’s downstream customers.

T1072Software Deployment ToolsEvidence1

Sophos MDR was first alerted when suspicious SimpleHelp installer files were detected being pushed through the legitimate RMM platform.

T1570Lateral Tool TransferEvidence1

Following access acquisition, affiliates leverage credential abuse techniques, likely including NTLM and Kerberos-based mechanisms to perform privilege escalation and lateral movement within Active Directory environments, enabling efficient propagation across enterprise networks.

Command and Control

1 technique
T1071Application Layer ProtocolEvidence2

Attackers were observed deploying DragonForce ransomware against a major U.S. services firm, hiding command-and-control (C2) traffic inside Microsoft Teams’ own relay infrastructure using a new custom Go-based backdoor called Backdoor.Turn.

Exfiltration

3 techniques
T1041Exfiltration Over C2 ChannelEvidence1

After completing reconnaissance and evading defense, the attacker exfiltrated all data, deployed DragonForce ransomware, and encrypted the victim’s systems.

T1537Transfer Data to Cloud AccountEvidence1

the attackers stole confidential files and encrypted systems using DragonForce ransomware.

T1567Exfiltration Over Web ServiceEvidence1

The group operates a structured and scalable affiliate model, combining encryption with data exfiltration and publication on a dedicated data leak site (DLS).

Impact

5 techniques
T1486Data Encrypted for ImpactEvidence9

the attackers stole confidential files and encrypted systems using DragonForce ransomware.

T1489Service StopEvidence1

“kills running processes” and “T1489: Service Stop”

T1490Inhibit System RecoveryEvidence2

Defense evasion techniques include termination of security processes, deletion of backups and shadow copies, and execution in background or detached modes to reduce visibility.

T1491.001Internal DefacementEvidence1

Windows argument “-wall Changes system Wallpaper…” and “T1491… .001: Internal Defacement”

T1657Financial TheftEvidence1

“T1657: Financial Theft” and the broader extortion/ransom model described

Other

2 techniques
T1562Impair DefensesEvidence1

Defense evasion techniques include termination of security processes, deletion of backups and shadow copies, and execution in background or detached modes to reduce visibility.

T1562.001Disable or Modify ToolsEvidence1

MITRE ATT&CK® Techniques ... Defense Evasion T1562.001 (Impair Defenses: Disable or Modify Tools) Ransomware disables Windows Defender.

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app6 days ago
domain●●●●●●●●●●●●View more in app17 days ago
hash.sha1●●●●●●●●●●●●View more in app2 years ago
hash.sha256●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
risky biz rssNews
Nov 5, 2025
Risky Bulletin: US indicts two rogue cybersecurity employees for ransomware attacks

DragonForce is a ransomware family that evolved from the Conti ransomware-as-a-service model and has formed alliances with other cybercriminal groups.

Read more
mitiga blogNews
Jun 23, 2025
Hackers in Aisle 5: What DragonForce Taught Us About Zero Trust

Custom ransomware variant deployed by the DragonForce group, used to encrypt files and disrupt operations of UK retailers. The ransomware is distributed after initial access is gained through social engineering and privilege escalation, and is believed to be operated under a Ransomware-as-a-Service (RaaS) model.

Read more
security online infoNews
May 6, 2025
DragonForce Ransomware Cartel Hits UK Retailers with Custom Payloads and Global Extortion Campaign

DragonForce Ransomware is a Ransomware-as-a-Service (RaaS) operation that began as a LockBit 3.0/Black clone and has since evolved into a bespoke ransomware based on the Conti v3 codebase. It employs multi-extortion tactics, including data leaks and reputational threats, and allows affiliates to customize payloads for various platforms. The group operates the RansomBay leak site and targets a wide range of industries globally.

Read more
ic3 alertsNews
Mar 11, 2026

Ransomware used to encrypt victim data (including VMware ESXi in some incidents) and demand payment; used alongside data theft/extortion tactics.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities11

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping36

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.