Overview: DragonForce is a relatively new but highly aggressive ransomware operation that has rapidly escalated its victim count. Based on recent leak site analysis, the group operates with a high degree of automation, likely leveraging a RaaS (Ransomware-as-a-Service) framework or an affiliate model focused on opportunistic exploitation of internet-facing vulnerabilities rather than long-term, hands-on-keyboard persistence.
TTPs & Playbook:
- Ransom Model: Aggressive double extortion. Victims are given short windows (often 48-72 hours) to negotiate before data is leaked. Ransom demands typically range from $500,000 to $5 million, depending on victim revenue.
- Initial Access: The group primarily exploits known vulnerabilities in edge devices and remote management software rather than phishing. Current campaigns show a heavy reliance on unpatched VPNs, RMM tools (ConnectWise), and email gateways.
- Dwell Time: Short. The group moves laterally and exfiltrates data rapidly, often within 2-5 days of initial access, minimizing the window for detection.
Current Campaign Analysis
Campaign Snapshot (2026-05-28): DragonForce has posted an alarming 15 new victims in a single day (2026-05-27), signaling a highly active automated campaign targeting unpatched external infrastructure.
Targeted Sectors: The victims span a wide range of critical sectors, with a notable emphasis on:
- Technology & Business Services: 40% of recent victims (e.g., Northbridge, Practicus, Nemd). These are prime targets for intellectual property theft.
- Healthcare: Ramos Rheumatology (US) is a critical deviation, suggesting DragonForce is casting a wide net regardless of HIPAA sensitivities.
- Logistics & Agriculture: Essential supply chain nodes (President Container Group, Pieralisi) suggest an intent to disrupt operational continuity.
Geographic Concentration: The campaign is globally dispersed but heavily weighted towards NATO countries and allied nations (US, GB, CA, NL, DE). This geopolitical distribution suggests the group may be operating out of a jurisdiction safe from Western extradition treaties.
Victim Profile:
The targets range from mid-market businesses ($50M - $500M revenue) to large logistics entities. The inclusion of ksmart.ca and dunasgroen.nl indicates the group is indiscriminately scanning for vulnerable internet-facing services regardless of company size.
CVE Correlation & Attack Vector: The surge in victims correlates directly with the exploitation of CISA Known Exploited Vulnerabilities (KEV):
- CVE-2024-1708 (ConnectWise ScreenConnect): A critical path traversal vulnerability. This is likely the primary vector for the Technology and Business Services victims, granting remote code execution (RCE).
- CVE-2025-52691 / CVE-2026-23760 (SmarterMail): These file upload and auth bypass flaws are likely responsible for access to email servers, facilitating credential harvesting and lateral movement.
- CVE-2023-21529 (Exchange Server): Continued exploitation of legacy Exchange deserialization flaws in environments that have failed to patch or mitigate effectively.
Detection Engineering
Sigma Rules
YAML
---
title: Potential ConnectWise ScreenConnect Path Traversal Exploit
id: 8d7c6b5a-4f3e-2d1c-9b8a-7f6e5d4c3b2a
description: Detects exploitation attempts of CVE-2024-1708 in ConnectWise ScreenConnect via suspicious path traversal patterns in URI
status: experimental
author: Security Arsenal
date: 2026/05/28
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: webserver
detection:
selection:
c-uri|contains:
- '../'
- '%2e%2e'
c-uri|contains:
- '/WebResource.axd'
- '/SetupWizard.aspx'
condition: selection
falsepositives:
- Potential false positive depending on application architecture
level: critical
---
title: SmarterMail Authentication Bypass and File Upload
eid: 9e8d7c6b-5f4e-3d2c-0a9b-8f7e6d5c4b3a
description: Detects potential exploitation of CVE-2026-23760 (Auth Bypass) and CVE-2025-52691 (File Upload) in SmarterMail
status: experimental
author: Security Arsenal
date: 2026/05/28
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: smtp
detection:
selection_upload:
c-uri|contains: '.aspx'
sc-status: 200
cs-method: POST
selection_bypass:
c-uri|contains: 'ResetPassword.aspx'
cs-uri-query|contains: 'token='
filter_legit:
c-ip|cidr: '10.0.0.0/8'
condition: 1 of selection* and not filter_legit
falsepositives:
- Legitimate administrative password resets
level: high
---
title: DRAGONFORCE Potential Data Staging Activity
id: 0f1a2b3c-4d5e-6f7a-8b9c-0d1e2f3a4b5c
description: Identifies patterns consistent with DragonForce data exfil staging (massive file copy to Temp folder)
status: experimental
author: Security Arsenal
date: 2026/05/28
logsource:
product: windows
service: security
detection:
selection:
EventID: 4663
ObjectType: 'File'
ObjectName|contains:
- '\Windows\Temp\'
- '\Temp\'
filter:
SubjectUserName|endswith: '$'
condition: selection | count() by SubjectUserName > 100
falsepositives:
- Software installers or system updates
level: high
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for SmarterMail and ConnectWise exploitation signs
// Focuses on successful logins followed immediately by admin actions or suspicious file uploads
let TimeRange = 1d;
let ConnectWiseLogs = Syslog
| where ProcessName contains "ScreenConnect"
| where SyslogMessage has_all ("SetupWizard", "..")
| project TimeGenerated, HostName, ProcessName, SyslogMessage;
let SmarterMailLogs = W3CIISLog
| where csUriStem endswith ".aspx" and (csUriStem contains "ResetPassword" or csUriStem contains "FileManager")
| extend SourceIP = cIP, URI = csUriStem, Query = csUriQuery
| project TimeGenerated, SourceIP, URI, Query, sSiteName;
union ConnectWiseLogs, SmarterMailLogs
| order by TimeGenerated desc
PowerShell Triage Script
PowerShell
<#
.SYNOPSIS
DRAGONFORCE Triage Script
.DESCRIPTION
Checks for indicators of compromise related to CVE-2024-1708 (ScreenConnect) and
CVE-2026-23760 (SmarterMail) and looks for data staging artifacts.
#>
Write-Host "[!] Initiating DRAGONFORCE Triage..." -ForegroundColor Red
# 1. Check ScreenConnect Web Logs for Path Traversal (CVE-2024-1708)
$logPath = "C:\Program Files (x86)\ScreenConnect\App_Web\*.log"
if (Test-Path $logPath) {
Write-Host "[*] Checking ScreenConnect Logs for Path Traversal..." -ForegroundColor Yellow
$results = Select-String -Path $logPath -Pattern "\.\.\/|SetupWizard" -SimpleMatch
if ($results) { Write-Host "[+] Suspicious Activity Found:" $results.Count -ForegroundColor Red }
}
# 2. Check SmarterMail logs for Auth Bypass (CVE-2026-23760)
$smLogs = "C:\Program Files (x86)\SmarterTools\SmarterMail\Logs"
if (Test-Path $smLogs) {
Write-Host "[*] Checking SmarterMail Logs for Auth Bypass..." -ForegroundColor Yellow
$recentLogs = Get-ChildItem $smLogs -Recurse -File | Where-Object LastWriteTime -gt (Get-Date).AddHours(24)
$suspect = $recentLogs | Select-String "ResetPassword" | Select-String "200"
if ($suspect) { Write-Host "[+] Potential Exploit Detected:" $suspect.Path -ForegroundColor Red }
}
# 3. Check for Massive Data Staging in Temp Folders
$tempFolders = @("$env:SystemRoot\Temp", "$env:TEMP")
Write-Host "[*] Checking for Data Staging in Temp Directories..." -ForegroundColor Yellow
foreach ($folder in $tempFolders) {
$files = Get-ChildItem $folder -File -Recurse -ErrorAction SilentlyContinue | Where-Object LastWriteTime -gt (Get-Date).AddHours(48)
if ($files.Count -gt 500) {
Write-Host "[!] ALERT: High volume of recent files in $folder - Possible Staging" -ForegroundColor Red
}
}
Write-Host "[*] Triage Complete." -ForegroundColor Green
---
# Incident Response Priorities
**T-Minus Detection Checklist:**
1. **Perimeter Scan:** Immediately scan all public-facing IPs for vulnerabilities related to **CVE-2024-1708** and **CVE-2026-23760**.
2. **Log Review:** Correlate IIS/W3C logs for the last 7 days looking for anomalies in `/ResetPassword.aspx` endpoints or ScreenConnect paths.
3. **Account Audit:** Check for unexpected user creation or modification in SmarterMail and Active Directory.
**Critical Assets Prioritized for Exfiltration:**
* HR databases (SSN/Tax info)
* Customer Relationship Management (CRM) exports
* Intellectual Property (Source code, schematics)
* Financial records (Audit reports, banking info)
**Containment Actions:**
1. **Isolate:** Disconnect ConnectWise ScreenConnect servers and SmarterMail servers from the network immediately if patch status is unverified.
2. **Reset:** Force reset all credentials for accounts that had access to the compromised management tools.
3. **Block:** Block inbound traffic to identified attacker C2 IPs found in logs.
---
# Hardening Recommendations
**Immediate (24 Hours):**
* **Patch Emergency:** Apply patches for **CVE-2024-1708** (ConnectWise), **CVE-2026-23760** (SmarterMail), and **CVE-2023-21529** (Exchange). If patching is not possible, **disable** external internet access to these services immediately.
* **MFA Enforcement:** Ensure strict MFA is enforced on all remote management tools and email admin portals.
**Short-term (2 Weeks):**
* **Network Segmentation:** Move management interfaces (like ScreenConnect and OWA) into a dedicated, isolated management VLAN with strict egress filtering.
* **Zero Trust Access:** Replace perimeter-based VPN access with Identity-aware Zero Trust Network Access (ZTNA) solutions.
---
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangdragonforceransomwarecisa-kevscreenconnecthealthcareinitial-access
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.