Threat Actor Profile — DRAGONFORCE
DRAGONFORCE is a Ransomware-as-a-Service (RaaS) operation that has recently surged in activity, posting 15 new victims in a single day. The group operates with a sophisticated double-extortion model, exfiltrating sensitive data before encryption and threatening public disclosure.
Known Characteristics:
- Aliases: DragonForce, DRG
- Model: RaaS with affiliate network
- Typical Ransom Demands: $500K - $5M depending on victim size
- Initial Access Methods: Primarily vulnerability exploitation (CVE-2026-48027, CVE-2024-1708), supplemented by phishing and VPN exploitation
- Double Extortion: Standard practice - exfiltrates data before encryption
- Average Dwell Time: 7-14 days before detonation
Current Campaign Analysis
Sectors Under Attack
DRAGONFORCE is targeting a broad range of industries with the following distribution based on recent victims:
- Business Services (20%)
- Consumer Services (13%)
- Technology (13%)
- Agriculture and Food Production (13%)
- Transportation/Logistics (7%)
- Healthcare (7%)
- Manufacturing (7%)
- Unknown/Not Found (20%)
Geographic Concentration
Based on the last 15 victims posted:
- United States: 27%
- United Kingdom: 27%
- Canada: 13%
- Netherlands: 13%
- Italy: 7%
- Germany: 7%
- Niger: 7%
Victim Profile
The victims appear to be primarily small to mid-sized businesses with estimated revenues in the $10M to $500M range. The high frequency of postings (15 victims in one day) suggests DRAGONFORCE is operating with a high-velocity campaign approach.
Exploited Vulnerabilities
DRAGONFORCE is actively exploiting the following CVEs for initial access:
- CVE-2026-48027 (Nx Console): Recently added to CISA KEV (2026-05-27)
- CVE-2024-1708 (ConnectWise ScreenConnect): Added to CISA KEV (2026-04-28)
- CVE-2023-21529 (Microsoft Exchange Server): Added to CISA KEV (2026-04-13)
- CVE-2026-20131 (Cisco Secure Firewall Management Center): Added to CISA KEV (2026-03-19)
- CVE-2025-52691 (SmarterTools SmarterMail): Added to CISA KEV (2026-01-26)
Detection Engineering
SIGMA Rules
YAML
---
title: Potential Nx Console Exploitation - DRAGONFORCE Initial Access
id: df-1001
description: Detects potential exploitation of Nx Console vulnerability (CVE-2026-48027) commonly used by DRAGONFORCE ransomware gang
status: experimental
author: Security Arsenal Research
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
date: 2026/05/29
tags:
- attack.initial_access
- attack.t1190
- cve.2026.48027
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith: '\nx-console.exe'
CommandLine|contains:
- '--download'
- '--execute'
- '--install'
condition: selection
falsepositives:
- Legitimate Nx Console usage
level: high
---
title: DRAGONFORCE Lateral Movement via PsExec
id: df-1002
description: Detects suspicious PsExec usage patterns associated with DRAGONFORCE ransomware lateral movement
status: experimental
author: Security Arsenal Research
date: 2026/05/29
tags:
- attack.lateral_movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith: '\psexec.exe'
CommandLine|contains:
- '-accepteula'
- '\\\'
filter:
ParentProcessName|contains:
- '\System32\'
- '\Windows\'
- '\Program Files\'
condition: selection and not filter
falsepositives:
- Legitimate administrative tasks
level: high
---
title: DRAGONFORCE Data Staging - Mass File Archiving
id: df-1003
description: Detects potential data staging activity before exfiltration by DRAGONFORCE ransomware gang
status: experimental
author: Security Arsenal Research
date: 2026/05/29
tags:
- attack.collection
- attack.t1005
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith:
- '\7z.exe'
- '\winrar.exe'
- '\tar.exe'
CommandLine|contains:
- '-a'
- '-m0'
- '-m5'
- 'archive'
timeframe: 5m
condition: selection | count() > 3
falsepositives:
- Legitimate system backup activities
level: medium
KQL for Microsoft Sentinel
KQL — Microsoft Sentinel / Defender
// Hunt for DRAGONFORCE lateral movement indicators
let TimeRange = ago(7d);
let SuspiciousProcesses = dynamic(["psexec.exe", "wmic.exe", "wmi.exe", "powershell.exe", "cmd.exe"]);
// Look for processes spawned from suspicious parents
DeviceProcessEvents
| where Timestamp >= TimeRange
| where InitiatingProcessFileName in (SuspiciousProcesses) or FileName in (SuspiciousProcesses)
| where InitiatingProcessCommandLine has "-encodedCommand" or InitiatingProcessCommandLine has "Invoke-"
or CommandLine has "-encodedCommand" or CommandLine has "Invoke-"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
PowerShell Detection Script
PowerShell
# DRAGONFORCE Ransomware Detection Script
# This script checks for indicators of DRAGONFORCE ransomware activity
$Results = @()
# Check for recent suspicious scheduled tasks
Write-Host "Checking for recently added scheduled tasks..." -ForegroundColor Yellow
$RecentTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($RecentTasks) {
$Results += "RECENT TASKS FOUND: $($RecentTasks.Count) tasks created in the last 7 days"
foreach ($Task in $RecentTasks) {
$Results += "Task: $($Task.TaskName), Created: $($Task.Date), Action: $($Task.Actions.Execute)"
}
} else {
$Results += "No suspicious scheduled tasks found in the last 7 days"
}
# Check for modified Volume Shadow Copies
Write-Host "Checking for modified Volume Shadow Copies..." -ForegroundColor Yellow
try {
$VSSChanges = vssadmin list shadows | Select-String "Shadow Copy Volume"
$RecentShadows = $VSSChanges | Where-Object { $_ -match (Get-Date).ToString("MM/dd/yyyy") }
if ($RecentShadows) {
$Results += "RECENT VSS CHANGES FOUND: Multiple shadow copies created today"
$Results += $RecentShadows
} else {
$Results += "No unusual Volume Shadow Copy activity detected"
}
} catch {
$Results += "Could not check Volume Shadow Copy status: $_"
}
# Check for unusual network connections
Write-Host "Checking for suspicious network connections..." -ForegroundColor Yellow
try {
$Connections = Get-NetTCPConnection -State Established | Where-Object { $_.RemotePort -eq 4444 -or $_.RemotePort -eq 8080 }
if ($Connections) {
$Results += "SUSPICIOUS NETWORK CONNECTIONS FOUND:"
foreach ($Conn in $Connections) {
$Results += "Remote: $($Conn.RemoteAddress):$($Conn.RemotePort), PID: $($Conn.OwningProcess)"
}
} else {
$Results += "No suspicious network connections detected on common C2 ports"
}
} catch {
$Results += "Could not check network connections: $_"
}
# Display results
Write-Host "`n==== SCAN RESULTS ====" -ForegroundColor Cyan
foreach ($Result in $Results) {
if ($Result -match "FOUND|DETECTED") {
Write-Host $Result -ForegroundColor Red
} else {
Write-Host $Result -ForegroundColor Green
}
}
Incident Response Priorities
T-Minus Detection Checklist
Before encryption occurs, look for these DRAGONFORCE-specific indicators:
- Exploitation attempts of CVE-2026-48027 (Nx Console)
- Suspicious ConnectWise ScreenConnect activity (CVE-2024-1708)
- Unusual Microsoft Exchange Server authentication patterns (CVE-2023-21529)
- Cisco Secure Firewall Management Center exploitation (CVE-2026-20131)
- SmarterTools SmarterMail upload activity (CVE-2025-52691)
- Unauthorized scheduled tasks created in the last 7 days
- Unusual PsExec or WMI execution patterns
- Rapid file compression/archiving activities
Critical Assets Targeted for Exfiltration
Based on DRAGONFORCE's historical playbook:
- Financial records and customer databases
- Intellectual property and trade secrets
- Employee personal information
- Customer personal data
- Strategic business documents and contracts
Containment Actions (Priority Order)
- Isolate compromised systems immediately
- Disconnect from network if ransomware execution is suspected
- Revoke and reset all credentials for potentially compromised accounts
- Patch CVE-2026-48027, CVE-2024-1708, CVE-2023-21529, CVE-2026-20131, and CVE-2025-52691
- Implement network segmentation to limit lateral movement
- Secure backups and verify their integrity
- Enable enhanced logging on all critical systems
- Implement MFA for all administrative accounts
Hardening Recommendations
Immediate (24 Hours)
- Patch CVE-2026-48027 (Nx Console) across all endpoints
- Patch CVE-2024-1708 (ConnectWise ScreenConnect)
- Patch CVE-2023-21529 (Microsoft Exchange Server)
- Patch CVE-2026-20131 (Cisco Secure Firewall Management Center)
- Patch CVE-2025-52691 (SmarterTools SmarterMail)
- Disable unnecessary RDP access
- Implement or enforce MFA for all administrative accounts
- Configure network segmentation to isolate critical systems
Short-Term (2 Weeks)
- Conduct a comprehensive vulnerability assessment focusing on the CVEs mentioned
- Implement application whitelisting for administrative tools
- Deploy enhanced endpoint detection and response (EDR) capabilities
- Implement a zero-trust network architecture
- Conduct security awareness training, especially on phishing
- Review and restrict VPN access
- Implement strict backup and recovery procedures with offline backups
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangdragonforceransomwaremulti-sector-attackvulnerability-exploitationinitial-accesslateral-movement
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.