Skip to content
Ransomware group EsxiLinuxWindows

DragonForce

DragonForce is a ransomware family and ransomware-as-a-service operation active since late 2023.

Profile source: Mallory opens in a new tab

DragonForce

Family profile

DragonForce is a ransomware family and ransomware-as-a-service operation active since late 2023. It is associated with a broader criminal ecosystem that recruits affiliates and has publicly presented itself as a cartel-style operation. DragonForce code has been reported as derived from leaked LockBit 3.0 and Conti ransomware source code, and variants exist for Windows and Linux, including Linux builds targeting VMware ESXi environments.

DragonForce is used to encrypt victim systems and support extortion operations, often alongside data theft. Reported intrusions linked to DragonForce include enterprise compromises in which operators conducted credential access, reconnaissance, lateral movement, and persistence before ransomware deployment. Observed tradecraft around DragonForce incidents includes use of PsExec, Impacket tooling, Mimikatz, remote desktop access, and remote management software. In some campaigns, operators maintained persistence with custom malware after encryption or used advanced evasion methods such as DLL sideloading and bring-your-own-vulnerable-driver techniques to disable security tooling.

The malware supports capabilities consistent with modern enterprise ransomware, including file encryption across local and network-accessible resources, process termination to unlock files, and in Linux ESXi-focused variants, actions to impact virtualized environments. Public reporting also describes DragonForce operators or affiliates using the malware after initial access obtained through exposed remote services, exploitation of edge infrastructure, or access provided by intermediaries such as initial access brokers. Delivery has also been linked in some cases to social-engineering-driven intrusions conducted by Scattered Spider, which authorities and researchers have associated with DragonForce deployment in attacks against retail and ESXi environments.

DragonForce has been observed across multiple sectors and geographies, including high-profile attacks against retail and services organizations. Its operational model, cross-platform support, and association with affiliate-driven intrusion activity place it among the more capable contemporary ransomware threats.

Capabilities

  • Byovd
  • Credential Theft
  • Defense Evasion
  • Dll Sideloading
  • Exfiltration
  • Extortion
  • Initial Access
  • Lateral Movement
  • Persistence
  • Post Exploitation
  • Reconnaissance
  • Scanning
  • Session Hijacking

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz

Discovery Enum

  • Advanced IP Scanner
  • PingCastle
  • SoftPerfect NetScan

Ransomware.live

Published indicators

Full source record ↗

Md5

22 total
  • 3a514e164db30acdb3063eb79a23aa4f
  • f0410358a0d9dbd0dff3113d9c744ca7
  • 99be93aa4c34b39fedcd37663c34511f
  • 2dd7cd2bf15eec7d62689435fca9c49c
  • 3c311cabe7de6a8c104f8f10541d392d
  • 12e22f588f6128cf1a042d1122556cd2
  • e4a4fc96188310b7b07e7c0525b5c0aa
  • 15634dc79981e7fba25fb8530cedb981
  • 8bcd83352bbd52ca7bda998a52dd0e5c
  • 6c755a742f2b2e5c1820f57d0338365f

Tox

1 total
  • 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20

Ip

1 total
  • 45.135.232.195

Ransomware.live

Recent claims

All published claims ↗

Reported operators

Threat actors

9 named in public reporting
Scattered Spider

Criminal complaints against alleged Scattered Spider members and public reports reveal collaboration of the subclusters with ALPHV/Blackcat and Dragonforce.

Devman

Devman is a ransomware operator, believed to be located in Russia, who uses modified DragonForce code built on top of the leaked Conti source code.

DragonForce

The DragonForce Ransomware Group, first detected in December 2023, developed its own ransomware based on LockBit 3.0 (Black) and Conti Ransomware code.

slippery_scorpius

Since at least April 2025, the group has partnered with the DragonForce RaaS program, operated by the group we track as Slippery Scorpius, to extort victims. In one case, we observed attackers exfiltrating over 100 GB of data during a two-day period, with encryption via DragonForce ransomware deployment.

GOLD HARVEST

When DragonForce emerged in August 2023, it offered a traditional RaaS scheme. On March 19, 2025, the group announced a rebrand as a ‘cartel’ to expand its reach, hoping to emulate the success of LockBit and other mature ransomware-as-a-service (RaaS) groups.

ShinyHunters

DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.

DragonForce Malaysia

“DragonForce ransomware was first identified in August 2023… DragonForce has two ransomware variants - one based on LockBit Ransomware and another based on the Conti Ransomware variant.”

Water Tambanakua

“DragonForce ransomware was first identified in August 2023… DragonForce has two ransomware variants - one based on LockBit Ransomware and another based on the Conti Ransomware variant.”

LAPSUS$

The final phase involves deploying ransomware. Recently we have seen the group prefer the DragonForce variant, particularly targeting virtualised environments.

Exploited software

Vulnerabilities linked to DragonForce

10 CVEs

MITRE ATT&CK

DragonForce in ATT&CK

42 distinct techniques

Reporting

Research mentioning DragonForce

Jul 10
Cyber Security News

Hackers Can Go From CitrixBleed 2 Exploitation to Ransomware in Under an Hour

In one incident, the operator progressed from initial access to ransomware deployment in under an hour. DragonForce was used in the most advanced case.

Jul 9
Huntress

CitrixBleed 2 (CVE-2025-5777) 7Steps to Dragonforce Ransomware | Huntress

Across the first half of 2026, the Huntress Tactical Response unit worked a string of intrusions that all rhymed: an edge Citrix NetScaler gateway, sudden anomalous access to the environment, a tidy privilege-escalation, a fake "Citrix" administrator account, off-the-shelf remote-access software, and when the operator got what they wanted—Dragonforce ransomware.

Jul 9
Itsecurityguru

CitrixBleed 2 exploited in repeatable attack chain culminating in DragonForce ransomware, researchers find - IT Security Guru

...in its most advanced form, ends in DragonForce ransomware... In the most progressed case, the operator used PsExec, Impacket-based tooling and Mimikatz for lateral movement and credential access before deploying a DragonForce ransomware binary...

Jul 7
Group Ib

Connecting Scattered Spider: Defining A Cybercrime Collective Through Shared TTPs | Group-IB Blog

Criminal complaints against alleged Scattered Spider members and public reports reveal collaboration of the subclusters with ALPHV/Blackcat and Dragonforce.

Jul 3
Cyberveille

Scattered Spider : extradition de Peter Stokes vers les États-Unis dans le cadre de l'Opération Riptide | CyberVeille

En juillet 2025, le FBI et la CISA avaient publié des recommandations sur les techniques de Scattered Spider, incluant l’usage du ransomware DragonForce pour chiffrer des serveurs VMware ESXi.

Jul 3
Xakep

19-летнего участника группировки Scattered Spider экстрадировали в США - Хакер

Также известно, что в некоторых атаках группировка использовала Android-эмулятор Genymobile, а против британских ретейлеров применяла шифровальщик DragonForce.

Jul 2
Bleeping Computer

Alleged Scattered Spider hacker extradited to the United States

According to prosecutors, they commonly use the Genymobile Android emulator during their MFA attacks and have also deployed DragonForce encryptor in ransomware attacks against UK retail companies.

Jul 1
Xakep

Глава Huntress признал, что сотрудница компании предупредила хакера о расследовании - Хакер

...оператор вымогательской малвари, основанной на исходном коде вредоноса DragonForce (который, в свою очередь, базируется на слитых в сеть исходниках Conti).

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.