Back to Intelligence

DRAGONFORCE Ransomware: Mass Exploitation via Nx Console & Critical Infrastructure Attack

SA
Security Arsenal Team
May 30, 2026
6 min read

Date: 2026-05-30
Source: Dark Web Leak Site Monitoring / Ransomware.live Threat Level: CRITICAL

Threat Actor Profile — DRAGONFORCE

Aliases: None confirmed (Operates as standalone entity). Model: Ransomware-as-a-Service (RaaS) with aggressive affiliate onboarding. Ransom Demands: Variable, typically ranging from $500k to $5M USD, escalating based on revenue and data sensitivity. TTPs Overview: DRAGONFORCE has rapidly shifted from opportunistic phishing to precision exploitation of remote management tools. They are observed utilizing a Double Extortion model, exfiltrating sensitive CAD designs, client databases, and financial records prior to encryption. Average dwell time is estimated at 3-5 days between initial access and detonation, utilizing这段时间 to move laterally and harvest credentials.

Known Initial Access Vectors:

  • Exploitation of Internet-Facing Management Consoles (ScreenConnect, Nx Console).
  • Valid credentials obtained via infostealers (RedLine).
  • VPN brute-forcing targeting unpatched firewall appliances.

Current Campaign Analysis

Executive Summary: DRAGONFORCE is executing a high-velocity campaign correlating directly with the weaponization of CVE-2026-48027 (Nx Console Embedded Malicious Code). A significant spike in victim postings occurred on 2026-05-27, the same day this CVE was added to the CISA KEV catalog.

Sector Targeting: The current campaign shows a distinct pivot towards Supply Chain and Operational Technology (OT) adjacent sectors:

  • Manufacturing: Henry Molded Products, President Container Group (High value for IP theft).
  • Technology: Northbridge, Nemd.
  • Transportation/Logistics: Shoreline Sightseeing, President Container.

Geographic Concentration:

  • Primary: United States (4 victims), United Kingdom (4 victims).
  • Secondary: Canada, Netherlands, Italy, Germany.

Victim Profile: Targets appear to be mid-market enterprises ($50M - $500M revenue), likely lacking mature 24/7 SOC capabilities to detect the exploitation of niche management tools like Nx Console.

Observed Frequency: A "dump-and-burn" posting pattern was observed on 2026-05-27, where 12 victims were published simultaneously. This suggests an automated script or a bulk acquisition of access via a single compromised software supply chain or exploit automation.

CVE Correlation: The timeline strongly suggests CVE-2026-48027 is the primary Initial Access Vector (IAV) for this cluster. Additionally, historical DRAGONFORCE activity links back to CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2023-21529 (Microsoft Exchange), indicating persistent preference for remote access and collaboration vulnerabilities.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Nx Console Malicious Code Execution CVE-2026-48027
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects suspicious child processes spawned by Nx Console or related java wrappers, indicative of embedded malicious code execution or deserialization attacks.
status: experimental
date: 2026/05/30
author: Security Arsenal Research
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains:
            - 'NxConsole.exe'
            - 'wrapper.exe'
            - 'java.exe'
        Image|endswith:
            - 'powershell.exe'
            - 'cmd.exe'
            - 'pwsh.exe'
            - 'bash.exe'
    filter_legit:
        CommandLine|contains:
            - 'update'
            - 'install'
            - 'config'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative use by developers
level: high
---
title: ScreenConnect Path Traversal Exploit Attempt CVE-2024-1708
date: 2026/05/30
id: b2c3d4e5-6789-01ab-cdef-234567890bcd
description: Detects web shell-like activity or path traversal indicators in ScreenConnect logs often used by DRAGONFORCE affiliates.
status: experimental
author: Security Arsenal Research
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5156
        DestPort: 8040
        LayerRTID: 44
        ProcessName|endswith: '\WebScreenConnect.exe'
    filter:
        SourceAddress|cidr:
            - '10.0.0.0/8'
            - '192.168.0.0/16'
            - '172.16.0.0/12'
    condition: selection and not filter
level: high
---
title: Large Scale Data Staging Ransomware Precursor
date: 2026/05/30
id: c3d4e5f6-7890-12bc-def0-345678901cde
description: Detects usage of archiving tools (WinRAR, 7-Zip) compressing high volumes of data to local drives, common before DRAGONFORCE exfiltration.
status: experimental
author: Security Arsenal Research
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\winrar.exe'
            - '\7z.exe'
            - '\rar.exe'
        CommandLine|contains:
            - 'a -'
            - 'a -tzip'
            - 'm0'
    timeframe: 1h
    condition: selection | count() > 5
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Suspicious Nx Console or ScreenConnect Activity
// Focus on processes spawned by management services making network connections
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("NxConsole.exe", "WebScreenConnect.exe", "java.exe", "Wrapper.exe")
| where ProcessFileName in ("powershell.exe", "cmd.exe", "powershell_ise.exe", "cscript.exe")
| where isnotinitiatingProcessAccountName) // Filter system
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessFileName, ProcessCommandLine, AccountName, InitiatingProcessSHA256
| order by Timestamp desc

PowerShell Hardening Script

PowerShell
<#
.SYNOPSIS
    DragonForce Emergency Response Script
.DESCRIPTION
    Checks for signs of DragonForce TTPs: Scheduled tasks, shadow copy manipulation, and suspicious Nx Console instances.
#>

Write-Host "[+] Checking for recently created Scheduled Tasks (Potential persistence)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, Date, Author, Actions | Format-Table -AutoSize

Write-Host "[+] Checking for Volume Shadow Copy Deletion attempts..." -ForegroundColor Cyan
$Events = Get-WinEvent -LogName Application -FilterXPath "*[System[(EventID=1)]] and *[Data[Backup and Restore]]" -ErrorAction SilentlyContinue
if ($Events) { $Events | Select-Object TimeCreated, Message } else { Write-Host "No suspicious vssadmin events found." }

Write-Host "[+] Checking for Nx Console processes spawning shell..." -ForegroundColor Yellow
$Procs = Get-WmiObject Win32_Process | Where-Object { $_.Name -eq "powershell.exe" -or $_.Name -eq "cmd.exe" }
foreach ($p in $Procs) {
    $Parent = Get-WmiObject Win32_Process | Where-Object { $_.ProcessId -eq $p.ParentProcessId }
    if ($Parent.Name -like "*Nx*" -or $Parent.Name -like "*java*") {
        Write-Host "[!] ALERT: Suspicious parent-child process detected: $($Parent.Name) -> $($p.Name)" -ForegroundColor Red
    }
}


---

Incident Response Priorities

T-minus Detection Checklist (Pre-Encryption):

  1. Proxy Logs: Hunt for outbound connections to known DRAGONFORCE DDNS domains (usually utilizing .tk or .ml TLDs) or large data transfers to anomalous IP ranges.
  2. Management Console Logs: Review logs for Nx Console, ConnectWise ScreenConnect, and Cisco FMC for authentication anomalies or mass file access events on 2026-05-26 through 2026-05-30.
  3. Active Directory: Look for accounts added to "Domain Admins" group in the last 48 hours.

Critical Assets Targeted:

  • Manufacturing: CAD files, PDM databases, ERP systems (SAP/Oracle).
  • Business Services: Client PII, financial databases, email archives.

Containment Actions:

  1. Immediate: Isolate systems running Nx Console or ScreenConnect from the network. Do not power off; snapshot memory for forensics.
  2. High Priority: Reset credentials for all service accounts associated with the identified management consoles.
  3. Urgent: Block inbound traffic to management interfaces (ports 8040, 4433) from untrusted IP spaces at the firewall.

Hardening Recommendations

Immediate (24 Hours):

  1. Patch CVE-2026-48027: Update Nx Console to the latest patched version immediately.
  2. Patch CVE-2024-1708: Ensure ConnectWise ScreenConnect is patched to build 23.9.8.x or later.
  3. Network Segmentation: Disconnect management plane interfaces (ScreenConnect, Nx Console, RDP) from the general corporate LAN. Place them in a dedicated VLAN with strict access controls.

Short-term (2 Weeks):

  1. Implement MFA: Enforce phishing-resistant MFA (FIDO2) for all remote access and management console logins.
  2. Egress Filtering: Configure firewalls to block outbound RDP (3389) and SMB (445) traffic from the internal network to the internet.
  3. Least Privilege: Audit and revoke local administrator rights for standard users on manufacturing workstations.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangdragonforceransomwaremanufacturingcve-2026-48027nx-consoleinitial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action