ctipilot.ch

DragonForce

actor · actor:dragonforce

DragonForce — ransomware-as-a-service operator exploiting SimpleHelp RMM

Coverage timeline
2
first 2026-05-07 → last 2026-06-29
Entries
2
2 distinct days
Sources cited
15
6 hosts
Sections touched
2
deep-dive, weekly-annual-reports
Co-occurring entities
6
see Related entities below
2026-06-172 appearances2026-06-29

Story timeline

  1. 2026-06-29ESET "Killing me gently" — a de-facto mid-year RaaS-tooling report
    weekly-annual-reportsESET "Killing me gently" — a de-facto mid-year RaaS-tooling report
  2. 2026-06-17DragonForce abuses Microsoft Teams TURN relays for C2 and chains four vulnerable drivers (BYOVD)
    deep-diveDragonForce abuses Microsoft Teams TURN relays for C2 and chains four vulnerable drivers (BYOVD)

Where this entity is cited

  • deep-dive1
  • weekly-annual-reports1

Source distribution

  • attack.mitre.org10 (67%)
  • bleepingcomputer.com1 (7%)
  • eset.com1 (7%)
  • helpnetsecurity.com1 (7%)
  • security.com1 (7%)
  • welivesecurity.com1 (7%)

Related entities

All cited sources (15)

Entries about DragonForce (2)

2026-06-29 · view entry permalink →

ESET "Killing me gently" — a de-facto mid-year RaaS-tooling report

notable annual-report discovered 2026-06-29 00:21 UTC

Background. The Gentlemen emerged in late 2025 as a RaaS operation founded by "hastalamuerte" (a former Qilin affiliate per Group-IB, previously affiliated with Embargo, LockBit, Medusa and BlackLock per PRODAFT). ESET first hypothesised an in-house EDR-killer in February 2026; Group-IB and Check Point independently corroborated before the gang's own internal data leaked. By April 2026 the group accounted for ~10% of global ransomware activity, and Krebs (06-10) linked the alias to a named individual in Izhevsk, Russia.

ESET's 06-26 deep-dive into the leaked internal data is the most substantive published-in-window documentation of RaaS tooling structure, and reads as a mid-year complement to the W25 Check Point State of Ransomware Q1 2026. Three structural findings a detection engineer should register: (1) GentleKiller is a modular in-house framework with at least eight BYOVD variants, each impersonating a different vendor and abusing a different kernel driver — driver allow-listing alone is insufficient without process-injection-chain detection; (2) the group integrates rival gangs' EDR killers (HexKiller from Warlock, ThrottleBlood shared with MedusaLocker/DragonForce, HavocKiller), so tooling overlap no longer implies operational overlap; (3) victims are selected centrally on FortiGate misconfiguration rather than geography, tying the Gentlemen victim pipeline directly to FortiBleed-style reconnaissance (§ 8). New BYOVD PoCs are operationalised within days of public release. (daily 06-27)

ransomware organized-crime russia-nexus global europe switzerland

2026-06-17 · view entry permalink →

DragonForce abuses Microsoft Teams TURN relays for C2 and chains four vulnerable drivers (BYOVD)

high threat discovered 2026-06-17 05:14 UTC deep dive

Background. DragonForce is a ransomware-as-a-service operation that has been documented since 2023 and rebranded itself in 2024–2025 as a "cartel"-style affiliate model; it has been tied to attacks on retail and enterprise targets across multiple regions and has previously leaned on affiliate-supplied access and living-off-the-land tooling. This deep dive is not about the ransomware payload but about an intrusion Symantec disclosed on 2026-06-16 that introduces a genuinely novel command-and-control technique and an unusually deep bring-your-own-vulnerable-driver (BYOVD) chain (Symantec / Broadcom, 2026-06-16).

The intrusion. Symantec investigated a DragonForce intrusion at an unnamed major U.S. services company that began in December 2025 — roughly two months of undetected dwell before discovery (BleepingComputer, 2026-06-16). Initial access was via an internet-facing MSSQL server (or purchased access) — a reminder that exposed database services remain a high-value entry point (T1190 Exploit Public-Facing Application). The actor then dropped a ZIP containing a legitimate, signed DbgView64.exe (or VirtualBox binary) alongside a malicious vboxrt.dll, executed via DLL side-loading (T1574.002). Persistence was established through a LimitBlankPasswordUse registry modification, creation of rogue local users/groups (T1136.001), and firewall-rule changes.

Backdoor.Turn and the Teams TURN-relay C2 (the novel part). Backdoor.Turn is a Go-based RAT injected into DbgView64.exe. It obtains an anonymous Microsoft Teams visitor token from Skype identity services, then establishes a TURN (Traversal Using Relays around NAT) relay session through Microsoft's own infrastructure and runs a QUIC tunnel to the actual attacker C2. Symantec assesses this is the first known malware to abuse Teams' TURN relay servers for C2 (Symantec / Broadcom, 2026-06-16). The defensive consequence is severe: a defender inspecting network flows sees only outbound connections to legitimate Microsoft IP ranges — the technique is a high-trust proxy/relay abuse (T1090 Proxy) that blends with the Teams traffic any Microsoft 365 tenant already generates.

The four-driver BYOVD chain. To disable defences, the actor loaded four signed-but-vulnerable kernel drivers (T1068 Exploitation for Privilege Escalation used to reach kernel for T1562.001 Impair Defenses): Huawei HWAuidoOs2Ec.sys (novel, no prior CVE), Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys (CVE-2025-1055). A custom malicious driver, ABYSSWORKER, masqueraded as a Palo Alto Networks driver to handle defence evasion. Follow-on activity included network scanning (T1046), AD/LDAP enumeration (T1018), TLS-certificate harvesting, browser credential theft (T1555.003), and credential-based lateral movement (T1021).

Detection concepts (no IOCs). (1) Hunt for DbgView64.exe or VirtualBox binaries initiating QUIC (UDP/443) sessions to Microsoft TURN-relay ranges with anomalous parent-child trees (vboxrt.dllDbgView64.exe) — Sysmon EID 3 network-connection events filtered against expected Teams behaviour. (2) Alert on signed drivers from Huawei, Topaz, Tower of Fantasy or K7 Security loading on systems that are not gaming/AV hosts (Sysmon EID 6 driver-load). (3) Registry-value sets on HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse (Sysmon EID 13). (4) Rogue local user/group creation (Windows Security EID 4720 / 4732) (Help Net Security, 2026-06-16).

Hardening. Enforce kernel-driver allow-listing via WDAC/HVCI and keep the Microsoft vulnerable-driver blocklist current (it covers the LOLDrivers entries this chain abuses); constrain egress so UDP/443 (QUIC) to Microsoft service tags is the only permitted path and is itself monitored; and audit any internet-reachable MSSQL/SQL Server instances out of existence. Because Backdoor.Turn rides genuine Microsoft relay infrastructure, IP/domain blocking is ineffective — the leverage is process-lineage and driver-load telemetry, not network reputation.

ransomware organized-crime identity cloud us global