DragonForce

DragonForce is a ransomware group active since December 2023 that operates under a ransomware-as-a-service (RaaS) model and publicly presents itself as a cartel. Reporting in the provided content states that it developed ransomware based on leaked LockBit 3.0 (LockBit Black) and Conti source code, with Windows and Linux variants, including Linux support for ESXi, NAS, and RHEL environments. The group operates a service called RansomBay/Ransombay for affiliate payload generation and configuration, and has used dark web forums including BreachForums, RAMP, and Exploit to leak stolen data, promote its operation, and recruit affiliates, initial access brokers, and pentesters. One report states affiliates were offered 80% of ransom payments. The content describes DragonForce as targeting organizations heavily in the United States, with multiple references noting a strong US victim bias among top-tier RaaS groups and a specific intrusion against a major U.S. services firm. AhnLab reported 54 DragonForce incidents in May 2026, and S2W reported 363 victim organizations listed on its leak site from December 2023 to January 2026. Observed intrusion tradecraft in the provided reporting includes initial access via exposed remote desktop servers using valid domain accounts, and in another case likely exploitation of an unknown SQL or MSSQL server vulnerability or access purchased from an initial access broker. Post-compromise activity included PowerShell, Cobalt Strike Beacon, SystemBC, Mimikatz, ADFind, netscanold.exe, RDP-based lateral movement, DLL sideloading, persistence establishment, fake account creation, Windows security and firewall changes, reconnaissance, credential theft, and data exfiltration. DragonForce has repeatedly been associated with bring-your-own-vulnerable-driver (BYOVD) techniques to disable security tools and terminate processes. The ransomware itself retained BYOVD-based process termination functionality by default in analyzed builds. Reporting also links DragonForce and its affiliates to use of ThrottleBlood, an EDR-killing tool abusing ThrottleBlood.sys. In the U.S. services firm intrusion, researchers observed abuse of vulnerable signed drivers from Huawei, Topaz Antifraud, Tower of Fantasy, and K7 Security, as well as the ABYSSWORKER malicious driver masquerading as a Palo Alto Networks product. A notable capability directly attributed in the content is Backdoor.Turn, a custom Go-based backdoor used by DragonForce operators to disguise command-and-control as legitimate Microsoft Teams traffic. Researchers reported that it obtained an anonymous Teams visitor token, used Microsoft TURN relay infrastructure, and then established QUIC communications to the real attacker-controlled server, making the traffic appear as normal Teams activity. The backdoor was assessed as the first known real-world use of this covert tunneling approach and was described as capable of command execution, process launching, network scanning, LDAP/Active Directory querying, TLS certificate collection, browser credential theft, and potential persistence for future re-entry. The content also describes DragonForce’s strategic relationships in the ransomware ecosystem. It has been linked in reporting to BlackLock, RansomHub, Scattered Spider, DEVMAN, LockBit, and Qilin. S2W reported that RansomHub was taken over by DragonForce and shut down completely, while other reporting states DragonForce claimed a partnership involving transfer of RansomHub infrastructure. DragonForce also reportedly attempted public cooperation with Qilin and LockBit, and announced a RaaS partnership with BreachForums. The provided content mentions only the alias DragonForce.