DRAGONFORCE operates as a Ransomware-as-a-Service (RaaS) entity, known for aggressive double-extortion tactics involving data theft followed by encryption. Recent intelligence suggests a shift towards targeting Managed Service Providers (MSPs) and B2B service firms to maximize impact. Typical ransom demands range from $500,000 to $3 million, with a strict 72-hour negotiation window before data leakage begins. The group primarily gains initial access via exposed VPN interfaces, exploitation of remote monitoring tools (specifically ConnectWise ScreenConnect), and phishing campaigns delivering malicious macros. Their average dwell time is approximately 3–5 days, moving rapidly from initial access to lateral movement using Cobalt Strike beacons and custom PowerShell scripts.
Current Campaign Analysis
Sector Targeting: DRAGONFORCE has aggressively pivoted towards the Business Services sector (accounting for 40% of recent victims), alongside Agriculture & Food Production and Manufacturing. This suggests a strategy of attacking operational hubs that hold sensitive client data or time-critical production environments.
Geographic Concentration: The campaign is overwhelmingly US-centric (60% of victims), with secondary targets in Germany, the UK, and Canada.
Victim Profile: Victims are predominantly mid-market organizations with revenue between $10M and $200M. These organizations often lack robust 24/7 SOC monitoring, making them prime targets for "smash-and-grab" style weekend attacks.
Escalation Patterns: Posting frequency has surged to 3-4 victims per day, a significant increase indicating high operational tempo.
CVE & Initial Access Vectors: This campaign shows a strong correlation with CVE-2024-1708 (ConnectWise ScreenConnect). The high volume of "Business Services" victims strongly implies access via compromised remote management software used by IT support firms. Additionally, CVE-2023-21529 (Microsoft Exchange) and the SmarterMail vulnerabilities (CVE-2025-52691) are likely being used for initial email system compromise to facilitate phishing or credential harvesting.
Detection Engineering
---
title: Potential ScreenConnect Path Traversal Exploitation (CVE-2024-1708)
id: 9e5b2c3a-1f4d-4b8a-9c1e-0a2b3c4d5e6f
status: experimental
description: Detects suspicious path traversal patterns indicative of CVE-2024-1708 exploitation against ConnectWise ScreenConnect.
references:
- CVE-2024-1708
author: Security Arsenal
date: 2026/05/25
logsource:
category: web
detection:
selection:
cs-uri-query|contains:
- '..%2f'
- '..\\'
cs-uri-stem|contains:
- '/SetupWizard'
- '/LiveChatService'
- '/Guest'
condition: selection
falsepositives:
- Unknown
level: high
---
title: SmarterMail Authentication Bypass & Exploitation Indicators
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects potential exploitation of SmarterMail vulnerabilities (CVE-2025-52691, CVE-2026-23760) via IIS logs.
references:
- CVE-2025-52691
- CVE-2026-23760
author: Security Arsenal
date: 2026/05/25
logsource:
category: web
detection:
selection_uri:
cs-uri-stem|contains:
- '/Services/MailDataService.asmx'
- '/Mails/SaveDraftSettings.aspx'
selection_method:
cs-method: POST
condition: all of selection_*
falsepositives:
- Legitimate administrative activity
level: high
---
title: DRAGONFORCE Lateral Movement via PsExec and WMI
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects lateral movement techniques commonly used by DRAGONFORCE affiliates, specifically PsExec and WMI command execution.
author: Security Arsenal
date: 2026/05/25
logsource:
category: process_creation
product: windows
detection:
selection_psexec:
ParentImage|endswith:
- 'psexec.exe'
- 'psexec64.exe'
Image|endswith:
- 'cmd.exe'
- 'powershell.exe'
selection_wmi:
Image|endswith: 'wmiprvse.exe'
CommandLine|contains:
- 'powershell.exe -enc'
- 'cmd.exe /c'
condition: 1 of selection_*
falsepositives:
- System administration
level: medium
**KQL Hunt Query (Microsoft Sentinel)**
Hunt for web shell activity or lateral movement spawned from web server processes or remote tools.
kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("w3wp.exe", "ScreenConnect.ClientService.exe", "smartermailservice.exe")
| where FileName in ("powershell.exe", "cmd.exe", "whoami.exe", "net.exe", "tasklist.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine
| order by Timestamp desc
**PowerShell Response Script**
Check for signs of ransomware precursor activity (Shadow Copy deletion and unusual scheduled tasks).
powershell
# DRAGONFORCE Ransomware Pre-Encryption Check
# Requires Administrator Privileges
Write-Host "Checking for Shadow Copy Deletion Events..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7036; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -match 'VSS'} | Select-Object TimeCreated, Message
Write-Host "`nChecking for Recently Scheduled Tasks (Last 24h)..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {
$_.Date -gt (Get-Date).AddHours(-24) -and
$_.Author -notlike "*Microsoft*" -and
$_.TaskPath -notlike "\Microsoft\*"
} | Select-Object TaskName, Author, Date, TaskPath | Format-List
Write-Host "`nChecking for unusual PowerShell encoded commands..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -match ".*powershell\.exe.*-enc"} | Select-Object TimeCreated, Message
# Incident Response Priorities
**T-minus Detection Checklist:**
1. **Web Shell Hunt:** Immediately scan IIS logs for the CVE-2024-1708 path traversal signature and subsequent 200 OK responses on `.aspx` or `.ashx` endpoints.
2. **Account Audit:** Review Active Directory for service accounts associated with ScreenConnect or Exchange that have had passwords changed or privileges elevated in the last 48 hours.
3. **Large File Transfers:** Check perimeter firewall logs for sudden spikes in egress traffic ( > 500MB ) to non-whitelisted IPs, indicating data staging.
**Critical Assets for Exfiltration:**
DRAGONFORCE specifically targets:
* HR and Financial databases (Payroll).
* Client lists and intellectual property (crucial for Business Services victims).
* CAD/CAM designs (Manufacturing victims).
**Containment Actions (Ordered by Urgency):**
1. **Isolate:** Disconnect affected systems from the network immediately; do not power off if memory acquisition is needed.
2. **Revoke:** Reset credentials for all privileged accounts and enforce MFA (if not already active).
3. **Block:** Firewall block all IPs associated with recent C2 traffic or the VPN entry points.
# Hardening Recommendations
**Immediate (24h):**
* **Patch CVE-2024-1708:** Apply the ConnectWise ScreenConnect patch immediately or disable public internet access to the ScreenConnect web interface.
* **Patch Exchange & SmarterMail:** Verify patching levels for CVE-2023-21529, CVE-2025-52691, and CVE-2026-23760.
* **MFA Enforcement:** Enforce strict MFA on all VPN, RDP, and webmail gateways.
**Short-term (2 weeks):**
* **Network Segmentation:** Move critical backup infrastructure and business servers (e.g., Accounting, HR) into isolated VLANs inaccessible from the general corporate network.
* **EDR Deployment:** Ensure Endpoint Detection and Response (EDR) coverage is 100% on all servers, particularly those exposed to the internet.
* **Remote Tool Audit:** Audit and restrict access to remote management tools (ScreenConnect, RMM) to specific source IPs only.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.