DragonForce Ransomware Provides Affiliates with Customizable Toolkit to Build Tailored Payloads

DragonForce Ransomware, first identified in late 2023, has rapidly evolved into a formidable player within the global ransomware ecosystem, leveraging a sophisticated Ransomware-as-a-Service (RaaS) model. 

Originally rooted in ideologically motivated cyberattacks, DragonForce has since pivoted to financially driven operations, offering affiliates a highly customizable toolkit that enables the creation and deployment of tailored ransomware payloads. 

This technical flexibility has allowed DragonForce to strike a diverse array of industries, including manufacturing, finance, technology, and critical infrastructure, with notable campaigns reported across North America, Europe, and Asia.

Modular Ransomware-as-a-Service Platform

The group’s infrastructure centers around a modular payload builder, empowering affiliates to fine-tune encryption modules, ransom notes, and lateral movement techniques according to the specific environment of each target. 

According to Dark Atlas Report, this toolkit is further enhanced by stealth-optimized encryption routines, which utilize intermittent encryption and advanced evasion mechanisms to circumvent endpoint detection and response (EDR) solutions. 

DragonForce’s multilingual victim portals and negotiation platforms facilitate seamless communication with international targets, amplifying the group’s global reach.

DragonForce’s affiliate platform is designed with operational efficiency in mind. Affiliates are provided with dedicated .onion-based control panels, featuring dashboards for revenue tracking, payload customization, and victim management. 

The platform’s CRM-like interface allows affiliates to monitor ransom negotiations and the status of compromised organizations, while integrated data leak capabilities enable direct publication of exfiltrated data to the group’s “DragonLeaks” dark web portal for public shaming and extortion leverage. 

Tiered revenue sharing incentivizes affiliates to pursue high-value, destructive campaigns, while robust support including technical documentation and cryptocurrency laundering guidance mirrors the user experience of legitimate SaaS offerings.

Rivalries and Escalating Turf Wars

The technical sophistication of DragonForce’s operations is underscored by its adoption of advanced ransomware builders, including a leaked version of LockBit 3.0 and a heavily customized fork of Conti. 

These variants incorporate features such as modular payloads, rapid encryption, anti-analysis mechanisms, and the ability to disable EDR/XDR protections via Bring Your Own Vulnerable Driver (BYOVD) techniques. 

The group’s toolchain is further augmented by SystemBC, which provides persistent command-and-control (C2) capabilities, supports covert lateral movement, and enables sustained access during multi-stage attacks.

Initial access vectors exploited by DragonForce affiliates are diverse, encompassing phishing campaigns with weaponized attachments, exploitation of high-profile vulnerabilities such as Log4Shell (CVE-2021-44228), brute-force attacks on exposed RDP and VPN services, and the use of compromised credentials harvested from infostealers or prior breaches.

Post-exploitation activities leverage industry-standard tools such as Cobalt Strike for beacon deployment and lateral movement, and Mimikatz for credential harvesting, enabling rapid privilege escalation and network traversal in preparation for ransomware deployment.

DragonForce’s rise has coincided with significant upheaval within the RaaS landscape, marked by high-profile rivalries and operational disruptions. 

In April 2025, the abrupt disappearance of the RansomHub data leak site triggered speculation of an exit scam or internal sabotage. 

DragonForce capitalized on the situation by publicly inviting RansomHub affiliates to join its infrastructure a move widely interpreted as a strategic taunt. 

Subsequent defacements and accusations of insider betrayal have fueled theories of either a rebranding maneuver or an escalating turf war between the two groups, with DragonForce temporarily pausing new affiliate onboarding amid the turmoil.

The group’s targeting strategy reflects a calculated focus on sectors where operational disruption yields maximum leverage, including manufacturing, technology, construction, healthcare, logistics, and even public services. 

The integration of double extortion tactics combining data encryption with the threat of public data leaks further amplifies the pressure on victims to comply with ransom demands.

As DragonForce continues to refine its tradecraft and expand its affiliate network, it exemplifies the convergence of professional RaaS operations with advanced persistent threat (APT)-like sophistication. 

Security teams are urged to harden external exposure points, monitor for known DragonForce tactics, techniques, and procedures (TTPs), and maintain a high state of incident response readiness to counter this rapidly evolving threat.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates