DragonForce

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to intrusion sets

· Published 20/12/2025 08:53 · Modified 16/06/2026 19:48 · Source: Ransomware.Live

Essential information

Confidence: 100/100
Published: 20/12/2025 08:53
Modified: 16/06/2026 19:48
Updated at: 16/06/2026 19:48
Revoked: No
Author / Source: Ransomware.Live
Resource level: —
Primary motivation: —
Related entities: 6 reports, 61 attack patterns (mitre), 8 malware, 9 sectors, 18 countries, 84 indicators, 8 vulnerabilities (cve), 29 organization

Description

No description available

Marking (TLP)

TLP:CLEAR

Labels

ransomware

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (6)

Attackers Weaponize Microsoft Teams Relays to Stay Hidden

AlienVault Confidence 100 3 CVEs 18 MITREs 2 Malwares 26 IOCs 26 Observables 1 APT
The Godfather of Ransomware? Inside Cartel Ambitions

17 MITREs 1 Malware 7 Observables 1 APT
The DragonForce Cartel: Scattered Spider at the gate

15 MITREs 5 Malwares 1 APT
DragonForce Ransomware Gang | From Hacktivists to High …

11 MITREs 1 APT
DragonForce Ransomware Group is Targeting Saudi Arabia

5 CVEs 10 MITREs 1 Malware 17 Observables 1 APT
Inside the Dragon: DragonForce Ransomware Group

5 MITREs 2 Malwares 5 Observables 1 APT

Attack patterns (MITRE) (61)

T1078.003 uses

Local Accounts MITRE
T1566.001 uses

Spearphishing Attachment MITRE
T1560 uses

Archive Collected Data MITRE
T1566.003 uses

Spearphishing via Service MITRE
T1547.001 uses

Registry Run Keys / Startup Folder MITRE
Credential Stuffing uses

Credential Stuffing MITRE
T1059 uses

Command and Scripting Interpreter MITRE
T1573 uses

Encrypted Channel MITRE
T1566.002 uses

Spearphishing Link MITRE
T1055 uses

Process Injection MITRE
T1136 uses

Create Account MITRE
T1133 uses

External Remote Services MITRE

← Previous

Page / 6

1–12 of 61

LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Global uses

Family
Conti uses

Family
DragonForce uses

Family
Mamona uses

Family
Backdoor.Turn uses

Family
Devman uses

Family
Conti - S0575 uses

Family

Sectors (9)

Technology targets
Manufacturing targets
Finance targets
Retail targets
Healthcare targets
Construction targets
Insurance services targets
Transportation targets
Agriculture Food Production targets

Countries (18)

United States of America targets
Finland targets
Israel targets
Germany targets
Slovakia targets
Mexico targets
Canada targets
Switzerland targets
Taiwan targets
Guatemala targets
India targets
Italy targets

← Previous

Page / 2

1–12 of 18

56dfe55b016c08f09dd5a2ab58504b377a3cd66ffba236a5a0539f6e2e39aa71 indicates

stix 100/100

· Valid until 01/11/2026 · Source: AlienVault
8284c8676cc22c4b2e66826ac16986da7ddecba1f2776b16771be17bfdc45dc2 indicates

stix 100/100

· Valid until 12/06/2027 · Source: AlienVault
d67a475f72ca65fd1ac5fd3be2f1cce2db78ba074f54dc4c4738d374d0eb19c7 indicates

stix 100/100 Revoked

· Valid until 29/04/2026 · Source: AlienVault
ba1be94550898eedb10eb73cb5383a2d1050e96ec4df8e0bf680d3e76a9e2429 indicates

stix 100/100 Revoked

· Valid until 29/04/2026 · Source: AlienVault
b10129c175c007148dd4f5aff4d7fb61eb3e4b0ed4897fea6b33e90555f2b845 indicates

stix 100/100

· Valid until 01/11/2026 · Source: AlienVault
d0da2832ae1e13a98f7ce7e33a66c1b0d9797b81f69ece134e4462ea55ac923e indicates

stix 100/100

· Valid until 12/06/2027 · Source: AlienVault
professionalhomebasedbusiness.com indicates

stix 100/100

· Valid until 11/11/2026 · Source: AlienVault
feab413f86532812efc606c3b3224b7c7080ae4aa167836d7233c262985f888c indicates

stix 100/100 Revoked

· Valid until 24/02/2026 · Source: AlienVault
z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion indicates

stix 100/100 Revoked

· Valid until 25/07/2025 · Source: AlienVault
a4dfa099e1f52256ad4a3b2db961e158832b739126b80677f82b0722b0ea5e59 indicates

stix 100/100 Revoked

· Valid until 24/02/2026 · Source: AlienVault
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 indicates

stix 100/100 Revoked

CoinMiner

· Valid until 02/12/2025 · Source: AlienVault
http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion indicates

stix 100/100 Revoked

· Valid until 04/12/2025 · Source: AlienVault

← Previous

Page / 7

13–24 of 84

Vulnerabilities (CVE) (8)

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-21412 KEV targets

8.1 High

Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass.

Attack vector: Network
Published: 13/02/2024
Modified: 27/05/2026

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-21893 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …

Attack vector: Network
Published: 31/01/2024
Modified: 27/05/2026

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2025-61155 targets

5.5 Medium

The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process …

Attack vector: LOCAL
Published: 28/10/2025
Modified: 30/01/2026

Received

CVE-2023-52271 targets

6.5 Medium

The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which …

Attack vector: LOCAL
Published: 08/01/2024
Modified: 16/06/2026

CVE-2025-1055 targets

5.6 Medium

A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL …

Attack vector: LOCAL
Published: 11/06/2025
Modified: 16/06/2026

Awaiting Analysis

Organization (29)

Caramel targets
Dynex/Rivett targets
Váhostav targets
SINBON Electronics Co., Ltd targets
Colonial Metals targets
Barnes & Jones targets
National Credit Regulator (NCR) targets
tazzetti.com targets
[Redacted] Takedown Notice #2054 targets
Advanced Rehabilitation Technology targets
Tri-State Metal Roofing Supply targets
Burnex targets

← Previous

Page / 3

13–24 of 29

Contact About Legal notice Privacy policy Terms of use

DragonForce

Essential information

Description

Marking (TLP)

Labels

Related entities

Reports (6)

Attack patterns (MITRE) (61)

Malware (8)

Sectors (9)

Countries (18)

Indicators (84)

Vulnerabilities (CVE) (8)

Organization (29)