The DragonForce Cartel: Scattered Spider at the gate
DragonForce, a ransomware-as-a-service group active since 2023, has rebranded as a cartel and formed alliances with groups like Scattered Spider, LAPSUS$, and ShinyHunters. The group uses Conti-derived code and employs BYOVD attacks to terminate processes. DragonForce has expanded its affiliate program, allowing partners to white-label payloads and create variants. The group has exposed over 200 victims on its leak site, targeting various sectors. DragonForce's partnership with Scattered Spider, known for sophisticated social engineering techniques, has led to high-profile breaches. The group's ransomware samples show significant overlap with Conti's leaked source files and use ChaCha20 encryption.
AI Analysis
Technical Summary
DragonForce is a ransomware-as-a-service cartel that emerged in 2023, evolving from a traditional ransomware group into a more complex organization by forming alliances with other cybercriminal groups like Scattered Spider, LAPSUS$, and ShinyHunters. This coalition enhances their capabilities, particularly in social engineering and initial access techniques. DragonForce ransomware is based on Conti's leaked source code, sharing significant code overlap and using ChaCha20 encryption to secure victim data, making decryption without keys extremely difficult. The group employs BYOVD attacks, which involve loading vulnerable drivers to disable or terminate security software processes, thereby evading detection and increasing the success rate of their ransomware deployment. Their affiliate program allows partners to white-label ransomware payloads and create customized variants, increasing the diversity and reach of attacks. DragonForce has publicly exposed over 200 victims on their leak site, targeting a broad range of sectors globally, indicating a widespread and persistent threat. The partnership with Scattered Spider, known for sophisticated social engineering and credential theft techniques, has led to high-profile breaches, demonstrating the cartel's ability to combine technical and human attack vectors effectively. Although there are no known exploits in the wild specifically tied to this ransomware, the group's tactics, techniques, and procedures (TTPs) align with advanced persistent threat behaviors, including credential dumping, lateral movement, and process termination to disable defenses. The threat is ongoing and dynamic, with continuous evolution in payload variants and attack methods.
Potential Impact
European organizations face significant risks from DragonForce due to its advanced ransomware capabilities and extensive affiliate network. The use of BYOVD attacks to disable security tools can lead to prolonged undetected breaches, increasing the potential for extensive data encryption and exfiltration. The cartel’s public leak of victim data can result in reputational damage, regulatory penalties under GDPR, and financial losses from ransom payments and recovery costs. Critical infrastructure, healthcare, finance, and manufacturing sectors in Europe are particularly vulnerable due to their reliance on continuous availability and sensitive data. The involvement of Scattered Spider enhances the threat through sophisticated social engineering, increasing the likelihood of successful initial access. The ability to white-label ransomware variants complicates detection and response, as each affiliate may use different payload signatures. Overall, the threat could disrupt operations, compromise sensitive information, and cause significant economic and operational damage across European countries with advanced digital economies and critical infrastructure.
Mitigation Recommendations
European organizations should implement multi-layered defenses tailored to the specific tactics used by DragonForce. This includes deploying endpoint detection and response (EDR) solutions capable of detecting and blocking BYOVD techniques, such as monitoring for suspicious driver loads and process terminations. Enhancing phishing and social engineering awareness training is critical, especially given Scattered Spider’s involvement in credential theft and initial access. Organizations should enforce strict credential hygiene, including multi-factor authentication (MFA) across all access points, and monitor for unusual authentication patterns. Network segmentation and least privilege access can limit lateral movement post-compromise. Regular backups should be maintained offline and tested for integrity to enable recovery without paying ransom. Incident response plans must be updated to address ransomware scenarios involving process termination and encryption. Threat intelligence sharing within European cybersecurity communities can improve detection of emerging variants. Finally, organizations should monitor public leak sites and threat actor communications to identify potential exposure early.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Belgium, Sweden
Indicators of Compromise
- ip: 185.158.113.114
- hash: 0274b39e79fa142adb154d090fa2d09e
- hash: 027edad8db0e1abe6e88d073a9eb296a
- hash: 1406e538fc441e89ce3d1747017f97a5
- hash: 333d79fc5f5d53d7f4fa285d588982ff
- hash: 3357b96f7baef169e28ed5a24ea79f59
- hash: 3a6e2c775c9c1060c54a9a94e80d923a
- hash: 49874b7a63b6a46e3ec426a713d86b2a
- hash: 74a97d25595ad73129fa946dc3156cec
- hash: 770c1dc157226638f8ad1ac9669f4883
- hash: 9db8f7378e2df01c842cfcb617e64475
- hash: 9f7080e56d9b33fe8465da4759146655
- hash: ada4e228e982a7e309bb6a3308e4872d
- hash: b8c046a7c3a28653662140bb2eaad32d
- hash: b97812a2e6be54e725defbab88357fa2
- hash: beadd181d0dbbbe36e0e311c5211a5dd
- hash: e67e7b8e0fb6baff4f25bb05dd5a5e21
- hash: e84270afa3030b48dc9e0c53a35c65aa
- hash: f0410358a0d9dbd0dff3113d9c744ca7
- hash: f73eb3eef76498f4f73eb3eef76498f4
- hash: f744871f84ddf60cf744871f84ddf60c
- hash: 0b812c1b1ae8299fcaf9ac192587eeed76f5abe4
- hash: 17fd01e160ab44b6b189a9b3cb529bc74f790097
- hash: 1f5ae3b51b2dbf9419f4b7d51725a49023abc81c
- hash: 29baab2551064fa30fb18955ccc8f332bd68ddd4
- hash: 39ac4805442361b6e731e8907d1bacb5ab782f09
- hash: 4a34bbad85312ef34b60818a47f7b5bb8e9a7e26
- hash: 6d38ab49155bda7ed79a0eec8fbb7fb3d37166b1
- hash: 716cb58d66e5a59b53c90d427d17c5cc53a68f80
- hash: 818d0e9047f538fa85283d3343bd7d75e5bfc49f
- hash: 84d3cba5b7cdcd1a231d1a1d860337bdae0dae84
- hash: 88bd49b1bd9c2bde78bc4e394c993035e0fde3ea
- hash: 8f31f69f88a75d5faab4f94cfc2ec8a649fe1a24
- hash: a4566f8bd274ccdd7b0b5f958e1a8097573ad695
- hash: cc51ba31b585d56959d2296bef849db2ed0d37a1
- hash: d5cd3d9243c875521b597bfb3d6d16e48d324e0e
- hash: e8ad966042f179c415c605750488c9df353e4d2e
- hash: eada05f4bfd4876c57c24cd4b41f7a40ea97274c
- hash: fc75a3800d8c2fa49b27b632dc9d7fb611b65201
- hash: 04b14ead49adea9431147c145a89c07fea2c6f1cb515d9d38906c7696d9c91d5
- hash: 0dfe23ab86cb5c1bfaf019521f3163aa5315a9ca3bb67d7d34eb51472c412b22
- hash: 1ccf8baf11427fae273ffed587b41c857fa2d8f3d3c6c0ddaa1fe4835f665eba
- hash: 44994c720ad936809b54388d75945abd18b5707e20c9ee8f87b8f958ca8f5b16
- hash: 451a42db9c514514ab71218033967554507b59a60ee1fc3d88cbeb39eec99f20
- hash: 4db090498a57b85411417160747ffd8d4875f98b3ca2b83736a68900b7304d2b
- hash: 56dfe55b016c08f09dd5a2ab58504b377a3cd66ffba236a5a0539f6e2e39aa71
- hash: 80e3a04fa68be799b3c91737e1918f8394b250603a231a251524244e4d7f77d9
- hash: 849ef3cf2c251f6088d735c7b67c3434e915a1d924efecf4d608dbe9bb01928a
- hash: 8e8f463c37ea7133194731bfe4490e6713dd0133f30fe08a6d069d10fa7db2c6
- hash: 941b0bb479946c833a0436ecb84b94c8468c86c40016f46029e8bf04a22a754e
- hash: ad158a9ef5e849f7a2d10828a9aed89ebded7a2b5b3abb765f5797051cdf4a20
- hash: b10129c175c007148dd4f5aff4d7fb61eb3e4b0ed4897fea6b33e90555f2b845
- hash: b9bba02d18bacc4bc8d9e4f70657d381568075590cc9d0e7590327d854224b32
- hash: c844d02c91d5e6dc293de80085ad2f69b5c44bc46ec9fdaa4e3efbda062c871c
- hash: d67a475f72ca65fd1ac5fd3be2f1cce2db78ba074f54dc4c4738d374d0eb19c7
- hash: dca4102fba483bf0060427e0d583a1f61d079bf0754db4d61ff2969cc1bc3474
- hash: df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403
- hash: e4c44d0f462fce02b2c31555b12c022cdd6eae6492fd3a122e32e105fc5a54f8
- hash: f58af71e542c67fbacf7acc53a43243a5301d115eb41e26e4d5932d8555510d0
- hash: f5df98b344242c5eaad1fce421c640fadd71f7f21379d2bf7309001dfeb25972
- url: http://185.158.113.114:5000/affiliate/builder.
- url: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
- url: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
- url: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/news
- domain: 3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
- domain: z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
The DragonForce Cartel: Scattered Spider at the gate
Description
DragonForce, a ransomware-as-a-service group active since 2023, has rebranded as a cartel and formed alliances with groups like Scattered Spider, LAPSUS$, and ShinyHunters. The group uses Conti-derived code and employs BYOVD attacks to terminate processes. DragonForce has expanded its affiliate program, allowing partners to white-label payloads and create variants. The group has exposed over 200 victims on its leak site, targeting various sectors. DragonForce's partnership with Scattered Spider, known for sophisticated social engineering techniques, has led to high-profile breaches. The group's ransomware samples show significant overlap with Conti's leaked source files and use ChaCha20 encryption.
AI-Powered Analysis
Technical Analysis
DragonForce is a ransomware-as-a-service cartel that emerged in 2023, evolving from a traditional ransomware group into a more complex organization by forming alliances with other cybercriminal groups like Scattered Spider, LAPSUS$, and ShinyHunters. This coalition enhances their capabilities, particularly in social engineering and initial access techniques. DragonForce ransomware is based on Conti's leaked source code, sharing significant code overlap and using ChaCha20 encryption to secure victim data, making decryption without keys extremely difficult. The group employs BYOVD attacks, which involve loading vulnerable drivers to disable or terminate security software processes, thereby evading detection and increasing the success rate of their ransomware deployment. Their affiliate program allows partners to white-label ransomware payloads and create customized variants, increasing the diversity and reach of attacks. DragonForce has publicly exposed over 200 victims on their leak site, targeting a broad range of sectors globally, indicating a widespread and persistent threat. The partnership with Scattered Spider, known for sophisticated social engineering and credential theft techniques, has led to high-profile breaches, demonstrating the cartel's ability to combine technical and human attack vectors effectively. Although there are no known exploits in the wild specifically tied to this ransomware, the group's tactics, techniques, and procedures (TTPs) align with advanced persistent threat behaviors, including credential dumping, lateral movement, and process termination to disable defenses. The threat is ongoing and dynamic, with continuous evolution in payload variants and attack methods.
Potential Impact
European organizations face significant risks from DragonForce due to its advanced ransomware capabilities and extensive affiliate network. The use of BYOVD attacks to disable security tools can lead to prolonged undetected breaches, increasing the potential for extensive data encryption and exfiltration. The cartel’s public leak of victim data can result in reputational damage, regulatory penalties under GDPR, and financial losses from ransom payments and recovery costs. Critical infrastructure, healthcare, finance, and manufacturing sectors in Europe are particularly vulnerable due to their reliance on continuous availability and sensitive data. The involvement of Scattered Spider enhances the threat through sophisticated social engineering, increasing the likelihood of successful initial access. The ability to white-label ransomware variants complicates detection and response, as each affiliate may use different payload signatures. Overall, the threat could disrupt operations, compromise sensitive information, and cause significant economic and operational damage across European countries with advanced digital economies and critical infrastructure.
Mitigation Recommendations
European organizations should implement multi-layered defenses tailored to the specific tactics used by DragonForce. This includes deploying endpoint detection and response (EDR) solutions capable of detecting and blocking BYOVD techniques, such as monitoring for suspicious driver loads and process terminations. Enhancing phishing and social engineering awareness training is critical, especially given Scattered Spider’s involvement in credential theft and initial access. Organizations should enforce strict credential hygiene, including multi-factor authentication (MFA) across all access points, and monitor for unusual authentication patterns. Network segmentation and least privilege access can limit lateral movement post-compromise. Regular backups should be maintained offline and tested for integrity to enable recovery without paying ransom. Incident response plans must be updated to address ransomware scenarios involving process termination and encryption. Threat intelligence sharing within European cybersecurity communities can improve detection of emerging variants. Finally, organizations should monitor public leak sites and threat actor communications to identify potential exposure early.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.acronis.com/en/tru/posts/the-dragonforce-cartel-scattered-spider-at-the-gate/"]
- Adversary
- DragonForce
- Pulse Id
- 690b1a8fb4a0df0cf6a16178
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip185.158.113.114 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash0274b39e79fa142adb154d090fa2d09e | — | |
hash027edad8db0e1abe6e88d073a9eb296a | — | |
hash1406e538fc441e89ce3d1747017f97a5 | — | |
hash333d79fc5f5d53d7f4fa285d588982ff | — | |
hash3357b96f7baef169e28ed5a24ea79f59 | — | |
hash3a6e2c775c9c1060c54a9a94e80d923a | — | |
hash49874b7a63b6a46e3ec426a713d86b2a | — | |
hash74a97d25595ad73129fa946dc3156cec | — | |
hash770c1dc157226638f8ad1ac9669f4883 | — | |
hash9db8f7378e2df01c842cfcb617e64475 | — | |
hash9f7080e56d9b33fe8465da4759146655 | — | |
hashada4e228e982a7e309bb6a3308e4872d | — | |
hashb8c046a7c3a28653662140bb2eaad32d | — | |
hashb97812a2e6be54e725defbab88357fa2 | — | |
hashbeadd181d0dbbbe36e0e311c5211a5dd | — | |
hashe67e7b8e0fb6baff4f25bb05dd5a5e21 | — | |
hashe84270afa3030b48dc9e0c53a35c65aa | — | |
hashf0410358a0d9dbd0dff3113d9c744ca7 | — | |
hashf73eb3eef76498f4f73eb3eef76498f4 | — | |
hashf744871f84ddf60cf744871f84ddf60c | — | |
hash0b812c1b1ae8299fcaf9ac192587eeed76f5abe4 | — | |
hash17fd01e160ab44b6b189a9b3cb529bc74f790097 | — | |
hash1f5ae3b51b2dbf9419f4b7d51725a49023abc81c | — | |
hash29baab2551064fa30fb18955ccc8f332bd68ddd4 | — | |
hash39ac4805442361b6e731e8907d1bacb5ab782f09 | — | |
hash4a34bbad85312ef34b60818a47f7b5bb8e9a7e26 | — | |
hash6d38ab49155bda7ed79a0eec8fbb7fb3d37166b1 | — | |
hash716cb58d66e5a59b53c90d427d17c5cc53a68f80 | — | |
hash818d0e9047f538fa85283d3343bd7d75e5bfc49f | — | |
hash84d3cba5b7cdcd1a231d1a1d860337bdae0dae84 | — | |
hash88bd49b1bd9c2bde78bc4e394c993035e0fde3ea | — | |
hash8f31f69f88a75d5faab4f94cfc2ec8a649fe1a24 | — | |
hasha4566f8bd274ccdd7b0b5f958e1a8097573ad695 | — | |
hashcc51ba31b585d56959d2296bef849db2ed0d37a1 | — | |
hashd5cd3d9243c875521b597bfb3d6d16e48d324e0e | — | |
hashe8ad966042f179c415c605750488c9df353e4d2e | — | |
hasheada05f4bfd4876c57c24cd4b41f7a40ea97274c | — | |
hashfc75a3800d8c2fa49b27b632dc9d7fb611b65201 | — | |
hash04b14ead49adea9431147c145a89c07fea2c6f1cb515d9d38906c7696d9c91d5 | — | |
hash0dfe23ab86cb5c1bfaf019521f3163aa5315a9ca3bb67d7d34eb51472c412b22 | — | |
hash1ccf8baf11427fae273ffed587b41c857fa2d8f3d3c6c0ddaa1fe4835f665eba | — | |
hash44994c720ad936809b54388d75945abd18b5707e20c9ee8f87b8f958ca8f5b16 | — | |
hash451a42db9c514514ab71218033967554507b59a60ee1fc3d88cbeb39eec99f20 | — | |
hash4db090498a57b85411417160747ffd8d4875f98b3ca2b83736a68900b7304d2b | — | |
hash56dfe55b016c08f09dd5a2ab58504b377a3cd66ffba236a5a0539f6e2e39aa71 | — | |
hash80e3a04fa68be799b3c91737e1918f8394b250603a231a251524244e4d7f77d9 | — | |
hash849ef3cf2c251f6088d735c7b67c3434e915a1d924efecf4d608dbe9bb01928a | — | |
hash8e8f463c37ea7133194731bfe4490e6713dd0133f30fe08a6d069d10fa7db2c6 | — | |
hash941b0bb479946c833a0436ecb84b94c8468c86c40016f46029e8bf04a22a754e | — | |
hashad158a9ef5e849f7a2d10828a9aed89ebded7a2b5b3abb765f5797051cdf4a20 | — | |
hashb10129c175c007148dd4f5aff4d7fb61eb3e4b0ed4897fea6b33e90555f2b845 | — | |
hashb9bba02d18bacc4bc8d9e4f70657d381568075590cc9d0e7590327d854224b32 | — | |
hashc844d02c91d5e6dc293de80085ad2f69b5c44bc46ec9fdaa4e3efbda062c871c | — | |
hashd67a475f72ca65fd1ac5fd3be2f1cce2db78ba074f54dc4c4738d374d0eb19c7 | — | |
hashdca4102fba483bf0060427e0d583a1f61d079bf0754db4d61ff2969cc1bc3474 | — | |
hashdf5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403 | — | |
hashe4c44d0f462fce02b2c31555b12c022cdd6eae6492fd3a122e32e105fc5a54f8 | — | |
hashf58af71e542c67fbacf7acc53a43243a5301d115eb41e26e4d5932d8555510d0 | — | |
hashf5df98b344242c5eaad1fce421c640fadd71f7f21379d2bf7309001dfeb25972 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://185.158.113.114:5000/affiliate/builder. | — | |
urlhttp://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion | — | |
urlhttp://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion | — | |
urlhttp://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/news | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion | — | |
domainz3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion | — |
Threat ID: 690dba651280f279b842fd08
Added to database: 11/7/2025, 9:22:45 AM
Last enriched: 11/7/2025, 9:24:23 AM
Last updated: 1/7/2026, 4:52:38 AM
Views: 89
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-01-06
MediumFake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat
MediumThreatFox IOCs for 2026-01-05
MediumNew VVS Stealer Malware Targets Discord Accounts via Obfuscated Python Code
MediumMuddyWater: Snakes by the riverbank
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.