DragonForce isn’t just one other ransomware model \u2013 it\u2019s a destabilizing drive making an attempt to reshape the ransomware panorama. Counter Menace Unit (CTU) researchers are actively monitoring the evolution of the menace posed by the group.\u00a0<\/span>\u00a0<\/span><\/p>\n DragonForce is concerned in high-impact assaults concentrating on each conventional IT infrastructure and virtualized environments (e.g., VMware ESXi), with a robust emphasis on credential theft, Energetic Listing abuse, and knowledge exfiltration. In March 2025, it launched efforts to assert dominance within the ransomware ecosystem by introducing a extra versatile affiliate mannequin and concentrating on different ransomware teams.<\/span>\u00a0<\/span><\/p>\n A collection of <\/span>assaults<\/span><\/a> on UK retailers that started in late April introduced this group into sharper focus as third-party <\/span>reviews<\/span><\/a> linked these assaults to DragonForce and the <\/span>GOLD HARVEST<\/span><\/a> (also referred to as Scattered Spider) menace group. GOLD HARVEST regularly leverages social engineering, abuse of distant monitoring and administration (RMM) instruments, and multi-factor authentication (MFA) bypass strategies to realize entry, steal bulk knowledge, and typically deploy ransomware.\u00a0<\/span>\u00a0<\/span><\/p>\n When DragonForce emerged in August 2023, it provided a standard RaaS scheme.\u202fOn March 19, 2025, the group introduced a rebrand as a \u2018cartel\u2019 to increase its attain, hoping to emulate the success of LockBit and different mature ransomware-as-a-service (RaaS) teams. In observe, it isn\u2019t a cartel operation however an providing that offers associates the flexibleness to leverage DragonForce\u2019s infrastructure and ransomware instruments whereas working underneath their very own manufacturers (see Determine 1).<\/span>\u00a0<\/span><\/p>\n Determine <\/span><\/i>1<\/span><\/i>: Commercial for the DragonForce cartel<\/span><\/i><\/p>\n DragonForce didn\u2019t simply revamp its enterprise mannequin; it started attacking rival operations. The \u2018cartel\u2019 submit coincided with defacements of leak websites operated by the BlackLock and Mamona ransomware teams. The defacements appeared to have been performed by DragonForce, as seen within the side-by-side display screen captures in Determine 2.<\/span>\u00a0<\/span><\/p>\n Determine <\/span><\/i>2<\/span><\/i>: Defaced Mamona (left) and BlackLock (proper) leak websites<\/span><\/i><\/p>\n In April, a submit on the RansomHub leak website appeared to advertise the DragonForce cartel, as seen in Determine 3. A DragonForce submit on the RAMP underground discussion board additionally appeared to point that the teams had been working collectively, however the postscript instructed that RansomHub won’t help the collaboration (see Determine 4). RansomHub is among the most prolific teams to emerge following the LockBit <\/span>disruption<\/span><\/a> and ALPHV (also referred to as BlackCat) demise in 2024.<\/span>\u00a0<\/span><\/p>\n Determine <\/span><\/span>3<\/span><\/span><\/span>:<\/span> DragonForce<\/span> cartel point out on <\/span>RansomHub<\/span> leak website<\/span><\/span><\/em><\/p>\n Determine <\/span><\/i>4<\/span><\/i>: DragonForce submit suggesting a collaboration with RansomHub<\/span><\/i><\/p>\n Shortly after these posts, the RansomHub leak website went offline. The homepage displayed the message \u201cRansomHub R.I.P 03\/03\/2025.\u201d The \u201ccollaboration\u201d between DragonForce and RansomHub seems to have been extra of a hostile takeover by DragonForce. The \u2018koley\u2019 persona, who is understood to be a outstanding RansomHub member, posted a defacement of the DragonForce homepage on RAMP (see Determine 5), together with the message \u201c@dragonforce guess you’ve traitors\u2026\u201d Further posts by koley accused DragonForce of working with legislation enforcement, attacking rivals, and telling lies.\u00a0<\/span>\u00a0<\/span><\/p>\n Determine <\/span><\/i>5<\/span><\/i>: Defacement of the DragonForce leak website shared by RansomHub member \u2018koley\u2019<\/span><\/i><\/p>\n As of this publication, the DragonForce leak website is again on-line after an prolonged interval of down time. Throughout that interval, the homepage displayed a message stating that it might be up once more quickly, and the same message seems on the RansomBay leak website (see Determine 6).<\/span>\u00a0<\/span><\/p>\n Determine <\/span><\/i>6<\/span><\/i>: DragonForce and RansomBay leak website homepages as of Could 2, 2025<\/span><\/i><\/p>\n In Could 2025, UK retailer Marks and Spencer was the topic of a major cyberattack that was <\/span>publicly attributed<\/span><\/a> to GOLD HARVEST (referred to within the reporting as Scattered Spider), though this attribution has not been formally confirmed. <\/span>This group is<\/span> a loosely organized cybercriminal collective made up of particular person menace actors who collaborate by a shared community of underground boards and encrypted chat channels utilized by a group of like-minded people often called \u201cThe Com.\u201d The menace actors on this group coordinate malicious companies to conduct assaults, alternate instruments, and share ways inside this decentralized ecosystem. GOLD HARVEST reportedly deployed the DragonForce ransomware on this assault.\u00a0<\/span>\u00a0<\/span><\/p>\n GOLD HARVEST has been recognized to function as a ransomware affiliate, deploying ALPHV ransomware in <\/span>assaults<\/span><\/a> on MGM Resorts in 2023 and <\/span>reportedly<\/span><\/a> utilizing RansomHub in assaults all through 2024. The menace actors make the most of a variety of ways, strategies, and procedures (TTPs) of their assaults however are recognized for his or her efficient use of social engineering. They usually achieve entry to organizations by concentrating on IT assist desks. Public attribution of the Marks and Spencer assault could also be predicated on the assumption that the assault began with social engineering, maybe concentrating on assist desk employees.<\/span>\u00a0<\/span><\/p>\n Social engineering is a common menace throughout the cyber panorama and isn’t distinctive to GOLD HARVEST, though the group has been adept at utilizing this method through e mail and phone calls. There may be rising interaction between social engineering and stolen credentials. GOLD HARVEST is <\/span>recognized<\/span><\/a> to make use of commodity infostealers equivalent to Vidar and Raccoon, which acquire browser-saved passwords, cookies, and session tokens. These credentials can allow preliminary entry straight or help extra convincing social engineering makes an attempt by permitting attackers to reference inside programs or mimic legit worker habits.<\/span>\u00a0<\/span><\/p>\nEnter the dragon<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/05\/df-fig01.png\")
<\/a><\/p>\n![\"Two](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/05\/df-fig02.png\")
<\/a><\/p>\n![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/05\/df-fig03.png\")
<\/a><\/p>\n![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/05\/df-fig04.png\")
<\/a><\/p>\n![\"An](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/05\/df-fig05.jpg\")
<\/a><\/p>\n![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/05\/df-fig06.png\")
<\/a><\/p>\n