DragonForce

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to intrusion sets

· Published 20/12/2025 08:53 · Modified 16/06/2026 19:48 · Source: Ransomware.Live

Essential information

Confidence: 100/100
Published: 20/12/2025 08:53
Modified: 16/06/2026 19:48
Updated at: 16/06/2026 19:48
Revoked: No
Author / Source: Ransomware.Live
Resource level: —
Primary motivation: —
Related entities: 6 reports, 61 attack patterns (mitre), 8 malware, 9 sectors, 18 countries, 84 indicators, 8 vulnerabilities (cve), 29 organization

Description

No description available

Marking (TLP)

TLP:CLEAR

Labels

ransomware

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (6)

Attackers Weaponize Microsoft Teams Relays to Stay Hidden

AlienVault Confidence 100 3 CVEs 18 MITREs 2 Malwares 26 IOCs 26 Observables 1 APT

· threat-report
The Godfather of Ransomware? Inside Cartel Ambitions

17 MITREs 1 Malware 7 Observables 1 APT
The DragonForce Cartel: Scattered Spider at the gate

15 MITREs 5 Malwares 1 APT
DragonForce Ransomware Gang | From Hacktivists to High …

11 MITREs 1 APT
DragonForce Ransomware Group is Targeting Saudi Arabia

5 CVEs 10 MITREs 1 Malware 17 Observables 1 APT
Inside the Dragon: DragonForce Ransomware Group

5 MITREs 2 Malwares 5 Observables 1 APT

Attack patterns (MITRE) (61)

T1078.003 uses

Local Accounts MITRE
T1566.001 uses

Spearphishing Attachment MITRE
T1560 uses

Archive Collected Data MITRE
T1566.003 uses

Spearphishing via Service MITRE
T1547.001 uses

Registry Run Keys / Startup Folder MITRE
Credential Stuffing uses

T1110.004 MITRE
T1059 uses

Command and Scripting Interpreter MITRE
T1573 uses

Encrypted Channel MITRE
T1566.002 uses

Spearphishing Link MITRE
T1055 uses

Process Injection MITRE
T1136 uses

Create Account MITRE
T1133 uses

External Remote Services MITRE

← Previous

Page / 6

1–12 of 61

LockBit uses

Family
Global uses

Family
Conti uses

Family
DragonForce uses

Family
Mamona uses

Family
Backdoor.Turn uses

Family
Devman uses

Family
Conti - S0575 uses

Family

Sectors (9)

Technology targets
Manufacturing targets
Finance targets
Retail targets
Healthcare targets
Construction targets
Insurance services targets
Transportation targets
Agriculture Food Production targets

Countries (18)

United States of America targets
Finland targets
Israel targets
Germany targets
Slovakia targets
Mexico targets
Canada targets
Switzerland targets
Taiwan targets
Guatemala targets
India targets
Italy targets

← Previous

Page / 2

1–12 of 18

4db090498a57b85411417160747ffd8d4875f98b3ca2b83736a68900b7304d2b indicates

stix 100/100

· Valid until 01/11/2026 · Source: AlienVault
d4de7d7990114c51056afeedb827d880549d5761aac6bdef0f14cb17c25103b3 indicates

stix 100/100 Revoked

· Valid until 29/04/2026 · Source: AlienVault
3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion indicates

stix 100/100 Revoked

· Valid until 28/09/2025 · Source: AlienVault
1ccf8baf11427fae273ffed587b41c857fa2d8f3d3c6c0ddaa1fe4835f665eba indicates

stix 100/100

· Valid until 01/11/2026 · Source: AlienVault
0dfe23ab86cb5c1bfaf019521f3163aa5315a9ca3bb67d7d34eb51472c412b22 indicates

stix 100/100

· Valid until 01/11/2026 · Source: AlienVault
821da79d727351dd67ce5df7950e9a3de6647a3cf474bb3a093f67507fed92a6 indicates

stix 100/100

· Valid until 12/06/2027 · Source: AlienVault
http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion indicates

stix 100/100 Revoked

· Valid until 15/04/2025 · Source: AlienVault
http://192.36.27.51/TechSupV18Fix3.zip indicates

stix 100/100

· Valid until 15/07/2026 · Source: AlienVault
65ab49119c845801f29a57e8aa177146b2ffbd289d4278109b146f933380f951 indicates

stix 100/100

· Valid until 12/06/2027 · Source: AlienVault
941b0bb479946c833a0436ecb84b94c8468c86c40016f46029e8bf04a22a754e indicates

stix 100/100

· Valid until 01/11/2026 · Source: AlienVault
95.164.53.64 indicates

stix 100/100 Revoked

· Valid until 28/02/2026 · Source: AlienVault
82b37a92589dfd4d67ca87eb9e52ac8e682e8e60d2211f59074cd5ccc693013b indicates

stix 100/100

· Valid until 12/06/2027 · Source: AlienVault

← Previous

Page / 7

1–12 of 84

Vulnerabilities (CVE) (8)

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-21412 KEV targets

8.1 High

Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass.

Attack vector: Network
Published: 13/02/2024
Modified: 27/05/2026

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-21893 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …

Attack vector: Network
Published: 31/01/2024
Modified: 27/05/2026

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2025-61155 targets

5.5 Medium

The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process …

Attack vector: LOCAL
Published: 28/10/2025
Modified: 30/01/2026

Received

CVE-2023-52271 targets

6.5 Medium

The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which …

Attack vector: LOCAL
Published: 08/01/2024
Modified: 16/06/2026

CVE-2025-1055 targets

5.6 Medium

A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL …

Attack vector: LOCAL
Published: 11/06/2025
Modified: 16/06/2026

Awaiting Analysis

Organization (29)

Construction Equipment Parts targets
Health Management Systems targets
Neurological Associates targets
Centro Médico Palafox targets
maa-architects.com targets
phoenixlabs.com targets
UBS Office targets
bestgraphics.net targets
NK Technologies targets
Conrad Capital Management targets
BMW Guatemala targets
Flexform targets

← Previous

Page / 3

1–12 of 29

Contact About Legal notice Privacy policy Terms of use

DragonForce

Essential information

Description

Marking (TLP)

Labels

Related entities

Reports (6)

Attack patterns (MITRE) (61)

Malware (8)

Sectors (9)

Countries (18)

Indicators (84)

Vulnerabilities (CVE) (8)

Organization (29)