DragonForce campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
DragonForce is a ransomware campaign that pairs follow-on encryption with Scattered Spider-linked intrusion tradecraft against high-value targets. In December 2025, Symantec observed an intrusion against a major U.S. services company in which the operators used Backdoor.Turn to hide command-and-control traffic inside Microsoft Teams TURN relays, likely after exploiting an unknown SQL or MSSQL server flaw. The activity also used BYOVD drivers, including HWAuidoOs2Ec.sys, wsftprm.sys, GameDriverx64.sys, and K7RKScan.sys, plus ABYSSWORKER, to evade defenses, exfiltrate data, and deploy ransomware.
Related Happenings
GodDamn ransomware PoisonX BYOVD activity
Malware Activity
H score15
First: 09.07.2026 13:43
Last: 09.07.2026 13:43
Sources 1
About this happening:
The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
GodDamn ransomware PoisonX BYOVD activity
Malware ActivityAbout this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
AWS environment hit by data theft breach
Incident
H score26
First: 08.07.2026 15:30
Last: 08.07.2026 15:30
Sources 1
About this happening:
An **AWS environment** was **compromised** in an **AI-assisted intrusion** that enabled **extortion**, creating immediate risk of data theft and operational disruption. The actor...
AWS environment hit by data theft breach
IncidentAbout this happening: An **AWS environment** was **compromised** in an **AI-assisted intrusion** that enabled **extortion**, creating immediate risk of data theft and operational disruption. The actor...
Klue hit by network compromise
Incident
H score39
First: 18.06.2026 17:19
Last: 18.06.2026 17:19
Sources 1
About this happening:
**Klue** confirmed a **June 12, 2026** security incident in which an attacker used a **compromised legacy credential** to obtain **OAuth tokens** from Klue’s integration infrastru...
Klue hit by network compromise
IncidentAbout this happening: **Klue** confirmed a **June 12, 2026** security incident in which an attacker used a **compromised legacy credential** to obtain **OAuth tokens** from Klue’s integration infrastru...
Latest development: 23.06.2026 16:58
Unauthorized actor used OAuth tokens stolen from Klue to access LastPass customer data in LastPass's Salesforce environment. LastPass said its products, services, infrastructure, and customer vaults were not affected, and it disabled employee access to Klue, rotated exposed API/OAuth tokens, and notified law enforcement.
INC ransomware encryptors rewritten in Rust
Malware Activity
H score38
First: 18.06.2026 17:12
Last: 18.06.2026 17:12
Sources 1
About this happening:
INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...
INC ransomware encryptors rewritten in Rust
Malware ActivityAbout this happening: INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...
DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure
Threat Actor Meta
H score26
First: 18.06.2026 16:30
Last: 18.06.2026 16:30
Sources 1
About this happening:
**Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...
DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure
Threat Actor MetaAbout this happening: **Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...
Timeline
-
03.12.2025 17:05 4 articles · 7mo ago
DragonForce expands cartel-style ransomware operations
Campaign Scope UpdateDragonForce expanded its ransomware operation in 2025 by presenting itself as a "ransomware cartel," offering affiliates 80% of profits, customizable encryptors and infrastructure, and pairing with Scattered Spider for high-value intrusions such as Marks & Spencer. The operation draws on earlier LockBit 3.0 builder code and modified Conti v3 source code, abuses vulnerable drivers such as truesight.sys and rentdrv2.sys to disable security tools and protected processes, and deploys DragonForce ransomware across Windows, Linux and ESXi environments after exfiltration to MEGA or Amazon S3.
Show sources
- Deep dive into DragonForce ransomware and its Scattered Spider connection — www.bleepingcomputer.com — 03.12.2025 17:05
- Deep dive into DragonForce ransomware and its Scattered Spider connection — www.bleepingcomputer.com — 03.12.2025 17:05
- A Cybercrime Merger Like No Other — Scattered Spider, LAPSUS$, and ShinyHunters Join Forces — thehackernews.com — 04.11.2025 19:25
- Ransomware gang abuses Microsoft Teams relays to hide malicious traffic — www.bleepingcomputer.com — 16.06.2026 13:18