CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

DragonForce Cartel Ransomware Emerges with Conti-Derived Encryption

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

DragonForce ransomware, a Conti-derived operation, has evolved into a "ransomware cartel," recruiting affiliates and partnering with Scattered Spider for sophisticated attacks. The group exploits vulnerable drivers to deactivate security programs and has intensified its operations, publishing details of more compromised entities. DragonForce offers affiliates 80% of profits, customizable encryptors, and infrastructure, lowering the barrier to entry for new cybercriminals. The group's partnership with Scattered Spider has enabled high-profile breaches, including the Marks & Spencer incident. Security experts advise robust backup practices, network segmentation, and consistent patching to defend against such threats.

Timeline

  1. 03.12.2025 17:05 1 articles · 23h ago

    DragonForce intensifies operations and partners with Scattered Spider

    DragonForce has intensified its operations, publishing details of more compromised entities than in the previous year. The group's partnership with Scattered Spider has enabled high-profile breaches, including the Marks & Spencer incident. Scattered Spider conducts reconnaissance on an organization’s staff to identify potential targets and develop convincing personas and pretexts. The group uses advanced social engineering tactics to obtain or reset credentials and circumvent multifactor authentication through deceptive tactics such as MFA fatigue or SIM swapping. Once access is gained, Scattered Spider signs in as the compromised user and registers its own device to maintain entry. Scattered Spider establishes persistence by deploying remote monitoring and management (RMM) tools or tunneling services such as ScreenConnect, AnyDesk, TeamViewer, and Splashtop. Scattered Spider leverages AWS Systems Manager Inventory to identify additional systems for lateral movement and uses ETL tools to compile gathered data into a central database, which is then exfiltrated to attacker-controlled MEGA or Amazon S3 storage services.

    Show sources
    Open in new tab
  2. 04.11.2025 15:45 2 articles · 1mo ago

    DragonForce Cartel Ransomware Emerges with Conti-Derived Encryption

    DragonForce, a new ransomware operation built on Conti’s leaked source code, has surfaced. The group has adopted a cartel-like structure, encouraging affiliates to create branded variants and using Conti's ChaCha20 and RSA encryption. DragonForce has conducted coordinated attacks, recruited affiliates like Devman, and partnered with Scattered Spider. The group has shown aggressive tactics by defacing and attempting to take over rival infrastructure. The group exploits vulnerable drivers such as truesight.sys and rentdrv2.sys to deactivate security programs and shut down protected processes. DragonForce offers affiliates 80% of profits, customizable encryptors, and infrastructure, lowering the barrier to entry for new cybercriminals.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Scattered Spider, ShinyHunters, and LAPSUS$ Form Unified Cyber Extortion Collective

A new cyber extortion collective, Scattered LAPSUS$ Hunters (SLH), has emerged as a unified alliance combining Scattered Spider, ShinyHunters, and LAPSUS$. The group is leveraging the reputational capital of these three high-profile criminal brands to create a consolidated threat identity. SLH is using Telegram as a command hub and brand engine, cycling through public channels to maintain a persistent presence. The alliance aims to fill the void left by the collapse of BreachForums and attract displaced operators with an affiliate-driven extortion model. SLH has created 16 Telegram channels since August 8, 2025, and offers an extortion-as-a-service (EaaS) model. The group is part of a larger cybercriminal enterprise known as The Com and has associations with other threat clusters, including CryptoChameleon and Crimson Collective. SLH's activities blend financially motivated cybercrime and attention-driven hacktivism, with a mature grasp of perception and legitimacy within the cybercriminal ecosystem. The group has hinted at developing a custom ransomware family named Sh1nySp1d3r and is aligned with DragonForce, functioning as an affiliate to break into targets through social engineering techniques. Recently, the admin of SLH, Rey, a 16-year-old named Saif Al-Din Khader from Amman, Jordan, has been cooperating with law enforcement since June 2025. Rey has been involved in releasing SLSH's new ShinySp1d3r ransomware-as-a-service offering, which is a rehash of Hellcat ransomware modified with AI tools.

Open in new tab

SectopRAT and Betruger Malware Linked to Play, RansomHub, and DragonForce Ransomware Operations

A September 2024 intrusion involved SectopRAT and Betruger malware, linked to Play, RansomHub, and DragonForce ransomware operations. The attack began with a malicious JavaScript payload disguised as a legitimate browser update, leading to extensive reconnaissance, credential theft, and data exfiltration. The threat actor used multiple tools and techniques to evade detection and prepare for ransomware deployment. The attack started with a malicious file, deploying SectopRAT malware. The threat actor established persistence, created an admin account, and used various tools for reconnaissance and credential theft. They deployed SystemBC, Betruger, and other tools to facilitate their operations. The final goal was ransomware deployment, but no encryption occurred; data was archived and exfiltrated via FTP. The threat actor used multiple defense evasion techniques, including process injection, timestomping, and disabling security features. The tools used in the attack link the threat actor to Play, RansomHub, and DragonForce ransomware operations.

Open in new tab

Scattered Spider's Browser-Based Attacks and Mitigation Strategies

Scattered Spider, also known as UNC3944, Octo Tempest, or Muddled Libra, has evolved to target browser environments, exploiting vulnerabilities in web applications accessed via Chrome, Edge, Firefox, and other browsers. This group focuses on stealing sensitive data such as credentials, session tokens, and security tokens. Over 80% of security incidents now originate from these web applications, making browser security a critical concern for enterprises. Scattered Spider employs sophisticated techniques like Browser-in-the-Browser overlays, session token theft, and malicious extensions to evade traditional security tools. To counter these threats, CISOs must implement multi-layered browser security strategies, including runtime script protection, session integrity, extension governance, and browser telemetry integration.

Open in new tab

Increased Social Engineering Attacks Targeting MFA and Help Desks

Threat actors, including groups like Scattered Spider, are increasingly using social engineering tactics to bypass multi-factor authentication (MFA) and gain unauthorized access to enterprise networks. These attacks often target help desk personnel, exploiting human vulnerabilities to reset passwords or override MFA. The FBI and CISA have issued alerts about the growing threat of such high-touch social engineering campaigns. The attack on Clorox by Scattered Spider resulted in approximately $380 million in damages, including $49 million in remedial costs and hundreds of millions in business-interruption losses. The attackers exploited the service desk run by Cognizant, repeatedly phoning to obtain password and MFA resets without meaningful verification. This incident highlights the need for robust caller verification and stringent security protocols in help desk operations. Organizations must rethink their help desk operations, focusing on training, validation processes, and a security-first culture. Frontline staff need to recognize red flags and escalate suspicious requests. Executives and senior leaders should model verification behavior, reinforcing that diligence is expected throughout the organization. Effective defense against these attacks requires ongoing training, relevant simulations, and a culture that prioritizes security over speed. Help desk and security teams must collaborate closely to identify and mitigate potential threats.

Open in new tab

ShinyHunters and Scattered Spider Collaboration

The **Gainsight cyber-attack** has expanded significantly, with Salesforce initially identifying **three impacted customers** but later confirming a **larger, unspecified number of victims** by **November 21, 2025**. Meanwhile, the **Scattered Lapsus$ Hunters (SLSH) alliance** has launched a **new phishing campaign targeting Zendesk users**, deploying over **40 typosquatted domains** (e.g., *znedesk[.]com*) and **malicious helpdesk tickets** to harvest credentials and deploy remote access trojans (RATs). The group’s tactics mirror those used in the **August 2025 Salesforce attacks**, with **deceptive SSO portals** and **social engineering lures** aimed at support staff. **Discord** has already confirmed a breach via its Zendesk-based support system, exposing user data including **names, emails, billing details, and government-issued IDs**. Gainsight’s breach involved **unauthorized access via an AT&T IP address on November 8**, preceded by reconnaissance from **3.239.45[.]43 on October 23** and approximately **20 suspicious intrusions between November 16–23** using **VPN services (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**—a method tied to the **Salesloft Drift breach**. Salesforce revoked all access tokens associated with Gainsight applications, while third-party vendors like **Gong.io, Zendesk, and HubSpot** severed integrations as a precaution. HubSpot confirmed no compromise of its infrastructure. Forensic investigations by **Mandiant** and Salesforce revealed the attackers exploited **compromised multifactor credentials** for VPN and system access. Customers were advised to **rotate S3 keys, reset NXT passwords, and re-authorize integrations** while adopting **Google Threat Intelligence Group (GTIG) mitigations**. The SLSH alliance has also unveiled a new **ransomware-as-a-service (RaaS) platform, ShinySp1d3r**, featuring **advanced anti-forensic capabilities**, network propagation tools, and **AI-enhanced modifications** of the **HellCat ransomware**. The platform is administered by **Saif Al-Din Khader (aka Rey)**, a core SLSH member who claims cooperation with law enforcement since June 2025. The group has been linked to **51 cyberattacks in the past year**, combining RaaS with extortion-as-a-service (EaaS) and insider recruitment to maximize impact. This attack follows a year-long pattern of **high-impact breaches** by ShinyHunters and Scattered Spider, including the **$107 million loss at the Co-operative Group (U.K.)**, **Jaguar Land Rover’s operational shutdown**, and breaches at **Allianz Life, Farmers Insurance, and Workday**, all exploiting **Salesforce platform vulnerabilities**. Despite arrests (e.g., **Scattered Spider members Owen Flowers and Thalha Jubair**) and shutdown claims, the threat persists, with **new victims emerging in critical sectors like rail transport (Almaviva/FS Italiane Group)** and now **Zendesk users**. Authorities, including the **FBI and U.K. NCA**, continue issuing alerts as the groups adapt tactics, leveraging **third-party IT providers, cloud-based CRM systems, and AI-enhanced tooling** to evade detection and scale operations.

Open in new tab