DragonForce

DragonForce is a ransomware family and associated ransomware-as-a-service (RaaS) operation active since at least late 2023. Reporting in the provided content describes it as first observed between August and December 2023, initially operating as a traditional RaaS program and later rebranding in March 2025 as a "cartel." The malware has been described as derived from leaked LockBit 3.0 (LockBit Black) and Conti ransomware code, with some analyses specifically assessing examined samples as primarily Conti-based despite prior LockBit overlap. DragonForce supports Windows and Linux variants, including Linux builds for ESXi, NAS, and RHEL environments.

Its core behavior is ransomware encryption with double-extortion activity. The content states DragonForce infiltrates networks, steals confidential data, encrypts systems, and demands ransom. It has been observed encrypting local systems and network shares, deleting volume shadow copies, changing wallpaper and file icons, and optionally Base32-encoding filenames while appending a DragonForce-specific encrypted extension. Windows samples described in the content use ChaCha8 for file/configuration encryption and append RSA-4096-protected metadata. DragonForce supports full, header, and partial encryption modes depending on file type and size. Linux variants are described as functionally similar in core encryption logic, with ESXi-focused builds additionally shutting down virtual machines and collecting ESXi environment information.

The malware and its ecosystem include defense-evasion features. Multiple reports state DragonForce uses BYOVD techniques to terminate security products and disable EDR/AV tooling. Generated binaries were reported to retain BYOVD-based process termination by default. Specific drivers and tooling mentioned in the content include truesight.sys, rentdrv2.sys, Huawei HWAudioOs2Ec.sys, Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), K7 Security K7RKScan.sys (CVE-2025-1055), and the ABYSSWORKER malicious driver. DragonForce activity was also observed in attack chains where an EDR-killer preceded ransomware deployment.

The content links DragonForce to several intrusion patterns and access vectors. Reported initial access methods include exposed or public-facing RDP, exploitation of vulnerable SQL/MSSQL servers, exploitation of edge devices and remote access technologies, brute forcing of RDP and SSL-VPN accounts, compromised credentials, and compromise of an MSP SimpleHelp RMM platform via vulnerabilities including CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726. Observed post-compromise activity includes PowerShell, Cobalt Strike Beacon, SystemBC, Mimikatz, ADFind, SoftPerfect NetScan, Advanced IP Scanner, PingCastle, PsExec, internal RDP, account creation, firewall changes, and Active Directory/network reconnaissance.

A notable capability described in multiple sources is DragonForce operators’ use of a custom Go-based backdoor, Backdoor.Turn, to hide command-and-control traffic inside Microsoft Teams TURN relay infrastructure. In the reported U.S. services firm intrusion, Backdoor.Turn obtained an anonymous Teams visitor token, used legitimate Microsoft relay infrastructure, and established QUIC-based communications that appeared as normal Teams traffic. The backdoor was described as enabling persistence, command execution, process creation, network scanning, LDAP/Active Directory mapping, lateral movement with stolen credentials, browser credential theft, and possible post-ransomware re-entry.

DragonForce is associated in the content with multiple threat actors and affiliate relationships. It is repeatedly described as a RaaS platform used by affiliates. The content links DragonForce use to Scattered Spider / UNC3944 / Muddled Libra / GOLD HARVEST in several incidents and advisories, including extortion operations and reported attacks on UK retailers such as Marks & Spencer, Co-op, and Harrods. Unit 42 states Muddled Libra partnered with the DragonForce RaaS program since at least April 2025. The content also notes DevMan uses modified DragonForce code. Some reporting associates DragonForce’s operator with the cluster tracked as Slippery Scorpius.

Victimology in the provided content shows broad, opportunistic targeting across sectors and geographies. Reported targeted sectors include business services, manufacturing, construction, technology, healthcare, retail, finance, logistics, government, insurance, aviation, and managed service providers. The content specifically notes attacks against UK organizations, a major U.S. services firm, and an Australian small business incident. Linux/ESXi support and references to VMware encryption indicate targeting of virtualized enterprise environments as well.

Known indicators and artifacts directly mentioned in the content include payload filenames/paths such as C:\Users\REDACTED\Desktop\df.exe and C:\Users\REDACTED\Documents\df.exe; default log path C:\Users\Public\log.log; icon and wallpaper artifacts C:\Users\Public\icon.ico and C:\Users\Public\wallpaper_white.png; mutex hsfjuukjzloqu28oajh727190; ransom note filenames "[rand].README.txt", "readme.xt", and "readme.txt"; encrypted extensions including .dragonforce_encrypted, .RNP, and .RNP_esxi in contexts described by researchers; Microsoft Defender detection Ransom:Win32/DragonForce.C!MTB; one analyzed sample hash MD5 ada4e228e982a7e309bb6a3308e4872d and SHA256 451a42db9c514514ab71218033967554507b59a60ee1fc3d88cbeb39eec99f20; IP address 45.135.232.195; and a DragonForce leak site onion address of dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion.