Find notable cyber news and cases, enriched with sources, timelines, and signals.

DragonForce campaign expands across multiple victims

Campaign
First reported
Last updated
Happening score
H score 39
2 unique sources, 3 articles

Summary

Hide ▲

DragonForce is a ransomware campaign that pairs follow-on encryption with Scattered Spider-linked intrusion tradecraft against high-value targets. In December 2025, Symantec observed an intrusion against a major U.S. services company in which the operators used Backdoor.Turn to hide command-and-control traffic inside Microsoft Teams TURN relays, likely after exploiting an unknown SQL or MSSQL server flaw. The activity also used BYOVD drivers, including HWAuidoOs2Ec.sys, wsftprm.sys, GameDriverx64.sys, and K7RKScan.sys, plus ABYSSWORKER, to evade defenses, exfiltrate data, and deploy ransomware.

Related Happenings

GodDamn ransomware PoisonX BYOVD activity

Malware Activity
H score15 First: 09.07.2026 13:43 Last: 09.07.2026 13:43 Sources 1

About this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...

AWS environment hit by data theft breach

Incident
H score26 First: 08.07.2026 15:30 Last: 08.07.2026 15:30 Sources 1

About this happening: An **AWS environment** was **compromised** in an **AI-assisted intrusion** that enabled **extortion**, creating immediate risk of data theft and operational disruption. The actor...

Klue hit by network compromise

Incident
H score39 First: 18.06.2026 17:19 Last: 18.06.2026 17:19 Sources 1

About this happening: **Klue** confirmed a **June 12, 2026** security incident in which an attacker used a **compromised legacy credential** to obtain **OAuth tokens** from Klue’s integration infrastru...

Latest development: 23.06.2026 16:58

Unauthorized actor used OAuth tokens stolen from Klue to access LastPass customer data in LastPass's Salesforce environment. LastPass said its products, services, infrastructure, and customer vaults were not affected, and it disabled employee access to Klue, rotated exposed API/OAuth tokens, and notified law enforcement.

INC ransomware encryptors rewritten in Rust

Malware Activity
H score38 First: 18.06.2026 17:12 Last: 18.06.2026 17:12 Sources 1

About this happening: INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...

DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure

Threat Actor Meta
H score26 First: 18.06.2026 16:30 Last: 18.06.2026 16:30 Sources 1

About this happening: **Hackledorb** has **pivoted DragonForce** from a conventional **ransomware-as-a-service (RaaS)** model into a **formalized cartel structure**, signaling a more organized and dura...

Timeline

  1. 03.12.2025 17:05 4 articles · 7mo ago

    DragonForce expands cartel-style ransomware operations

    Campaign Scope Update

    DragonForce expanded its ransomware operation in 2025 by presenting itself as a "ransomware cartel," offering affiliates 80% of profits, customizable encryptors and infrastructure, and pairing with Scattered Spider for high-value intrusions such as Marks & Spencer. The operation draws on earlier LockBit 3.0 builder code and modified Conti v3 source code, abuses vulnerable drivers such as truesight.sys and rentdrv2.sys to disable security tools and protected processes, and deploys DragonForce ransomware across Windows, Linux and ESXi environments after exfiltration to MEGA or Amazon S3.

    Show sources