DragonForce is a sophisticated Ransomware-as-a-Service (RaaS) operation that emerged from a former Malaysian hacktivist group. Since 2023, it has evolved into a major cybercrime cartel with a global affiliate network. Combining ideological roots with profit-driven ransomware attacks, it now supports hybrid operations across sectors and geographies. Its flexible infrastructure, white-label ransomware builder, and aggressive affiliate recruitment have made it a significant threat globally.
Severity Level: High
THREAT OVERVIEW:
- DragonForce leverages a dual-strain ransomware model—initially derived from LockBit 3.0 and later enhanced with code from Conti v3. These strains support strong encryption protocols (AES, ChaCha, RSA) and are delivered via a custom-built affiliate platform.
- The ransomware is frequently paired with credential dumpers (Mimikatz, LaZagne), persistence tools (Cobalt Strike), and network mapping utilities.
Attack Flow
- Initial Reconnaissance: DragonForce-affiliated operators begin by scanning for vulnerable targets—either opportunistically through internet-wide scans or selectively based on ideological motives. They assess open ports, exposed credentials, and unpatched systems to prioritize targets.
- Initial Access: Entry is typically achieved through spear-phishing emails that deliver malware loaders or by exploiting unpatched vulnerabilities in internet-facing services such as VPNs and web applications. Credentials may also be obtained from previous breaches or dark web marketplaces.
- Establishing Persistence: Upon access, attackers deploy tools like SystemBC and Cobalt Strike to establish command-and-control channels. They often create local admin accounts or schedule malicious tasks that grant persistent access even after reboots.
- Privilege Escalation: The attackers escalate privileges through credential dumping using Mimikatz or LaZagne. In some cases, Bring Your Own Vulnerable Driver (BYOVD) techniques are used to disable endpoint security and elevate access.
- Lateral Movement: With admin-level access, attackers use PsExec, WMI, and RDP to pivot through the network. They identify high-value systems such as file servers, domain controllers, and backup repositories. These are earmarked for data theft or destruction.
- Data Collection and Exfiltration: Before deploying the ransomware, DragonForce actors prioritize exfiltrating sensitive data. This includes business documents, financial records, and email archives, which are then uploaded to attacker-controlled cloud services or hidden servers.
- Pre-Encryption Preparation: Security defenses such as EDR agents, antivirus software, and logging services are disabled or bypassed. Backups are located and either deleted or encrypted to prevent recovery.
- Ransomware Deployment: The ransomware is executed simultaneously across multiple endpoints using administrative tools or GPO scripts. Victims immediately lose access to files, which are encrypted and renamed with a “.df” extension.
- Victim Notification and Negotiation: Victims receive ransom notes named README.txt or [random].README.txt, directing them to a Tor-based negotiation site.
- Extortion Outcome: If the victim pays, they may receive a decryptor. If not, their exfiltrated data is leaked via the group’s dark web leak portals. In some cases, the data is promoted on social media platforms to amplify reputational damage.
Campaign Scale and Geography
- DragonForce campaigns span multiple continents, with a concentration of attacks in the United States (52%), the United Kingdom (12%), Australia (6%), and various nations across Asia and the Middle East. The group has claimed over 80 victims in 12 months, demonstrating consistent monthly attack cadence and escalating geographical reach.
- DragonForce affiliates conduct highly disruptive ransomware operations across key sectors, including manufacturing, retail, healthcare, government, and transportation. In notable incidents, they have paralyzed large-scale operations, such as Marks & Spencer (retail disruption), Oahu Transit Services (public transportation), and the Government of Palau (governmental outages).
HOW THE BREACH HAPPENED:
- Initial Access (February 2025): The breach began in early February 2025 when a nation-state threat actor gained initial access to Commvault’s Microsoft Azure environment. Microsoft notified Commvault of suspicious activity on February 20. The attackers exploited misconfigured cloud applications and obtained access to application credentials (client secrets) stored by Commvault for M365 integration, allowing them to impersonate legitimate service principals.
- Exploitation of Vulnerability (CVE-2025-3928): The attackers used valid credentials to exploit CVE-2025-3928, a zero-day vulnerability in the Commvault Web Server. This flaw allowed a remote authenticated attacker to upload and execute webshells, gaining persistence and expanding their access within Commvault’s infrastructure. The vulnerability existed in multiple versions of Commvault’s software and was not known publicly at the time of the breach.
- Lateral Movement into Customer M365 Environments: Using compromised app secrets and M365 OAuth tokens, the threat actor accessed customers’ M365 tenants via Commvault-managed service principals. They potentially escalated access using default permissions, overly privileged service principals, or misconfigured application scopes. This lateral movement allowed visibility and control over downstream customer environments.
- Cloud Misconfigurations & Identity Exploitation: The attack campaign also took advantage of cloud identity misconfigurations, such as excessive privileges granted to service principals and absence of Conditional Access policies. Commvault-managed M365 applications with unrotated secrets and insufficient IP filtering gave the attackers a stealthy path to move laterally without triggering immediate alerts.
- Persistence & Monitoring Evasion: The attackers were able to remain undetected for a period by operating through legitimate service credentials and staying within trusted IP ranges. No ransomware or destructive actions were deployed. However, they maintained a low-profile presence, focusing on stealthy access and exfiltration of identity data and secrets from impacted SaaS-linked resources.
MITRE ATT&CK
| TACTIC | TECHNIQUE | ID | DETAILS |
| Reconnaissance | Valid Accounts | T1078 | DragonForce ransomware actors gain unauthorised access and blend in with legitimate user activity. |
| Initial Access | Phishing | T1566 | DragonForce ransomware actors send deceptive messages to trick users into disclosing sensitive information or executing harmful actions. |
| External Remote Services | T1133 | The threat actor exploit vulnerabilities in external remote services, like VPNs, to gain unauthorised access to a network. | |
| Execution | User Execution | T1204.002 | The DragonForce ransomware tricks users into opening malicious files to execute harmful code. |
| Command-Line Interface: PowerShell | T1059.001 | The threat actor users various command-line parameters for configuration and control | |
| Persistence | Valid Accounts: Domain Accounts | T1078.002 | DragonForce ransomware gains unauthorised access and move laterally within networks. |
| Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder | T1547.001 | Programs are added to startup folders or registry run keys to achieve persistence. | |
| Create or Modify System Process: Windows Service | T1543.003 | DragonForce ransomware creates or modifies Windows services to maintain persistence on compromised systems. | |
| Defence Evasion | Impair Defences: Disable or Modify Tools | T1562.001 | DragonForce disables or modifies security tools to evade detection. |
| Scheduled Task/Job: Scheduled Task | T1053.005 | DragonForce exploit the Windows Task Scheduler to schedule tasks for executing malicious code | |
| Indicator Removal: Clear Windows Event Logs | T1070.001 | The threat actor clears Windows Event Logs to hide their activities | |
| Credential Access | OS Credential Dumping: LSASS Memory | T1003.001 | The threat actor dumps LSASS memory to steal credential information |
| Discovery | File and Directory Discovery | T1083 | The threat actor enumerates logical drives and checks their types, discovering information about the computer’s drives and directories |
| Domain Trust Discovery | T1482 | The threat actor employs tools to gather information on Active Directory domain trusts | |
| Remote System Discovery | T1018 | The threat actor discovers remote systems on a network to facilitate lateral movement | |
| System Network Configuration Discovery | T1016 | The threat actor gathers information about network configurations and settings | |
| System Information Discovery | T1082 | The threat actor gathers detailed system information to understand the environment and plan further attacks | |
| Network Service Discovery | T1046 | The threat actor discovers services running on remote hosts and network devices, often using port and vulnerability scans | |
| Lateral Movement | Remote Services: Remote Desktop Protocol | T1021.001 | The threat actor leverages Remote Desktop Protocol (RDP) to access and control remote systems |
| Remote Services: SMB/Windows Admin Shares | T1021.002 | The threat actor uses valid accounts to interact with remote network shares via SMB (Server Message Block) to move laterally within a network | |
| Collection | Data from Local System | T1005 | While not explicitly mentioned, the ransomware collects information about files, directories, and drive types on the local system to decide what to encrypt |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | The threat actor communicates with command-and-control servers through web protocols to blend in with normal traffic |
| Exfiltration | Exfiltration Over C2 Channe | T1041 | While not explicitly mentioned, the ransomware may communicate with a command-and-control (C2) server as part of the extortion process |
| Impact | Data Encrypted for Impact | T1486 | The threat actor encrypts files using ChaCha8 encryption and the CryptGenRandom() function to generate keys and initialisation vectors (IVs) for each file |
| Inhibit System Recovery | T1490 | The threat actor deletes or disables system recovery features to prevent recovery of a corrupted system |
Recommendations:
- Segment networks to restrict lateral movement.
- Disable remote services like RDP unless necessary.
- Prioritize CVEs with public exploits.
- Patch VPNs, web apps, and remote services.
- Enforce phishing-resistant MFA (FIDO2/U2F).
- Conduct regular phishing simulations and user training.
- Monitor dark web for leaked credentials.
- Use password managers to enforce complex passwords.
- Keep encrypted offline backups tested for restoration.
- Simulate ransomware tabletop exercises for exec teams.
- Block the IOCs at their respective controls.
- https://www.virustotal.com/gui/collection/3d8427e3686060df39bb85bbdc200eb6a8116be1c52e7c514b2f74740c96aba5
Source:
- https://news.sophos.com/en-us/2025/05/21/dragonforce-targets-rivals-in-a-play-for-dominance/
- https://www.quorumcyber.com/insights/understanding-the-dragonforce-cartel-the-cybercriminals-targeting-retailers-with-ransomware/
- https://www.quorumcyber.com/wp-content/uploads/2025/05/QC-DragonForce-Ransomware-Report.pdf
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.