Threat-actor profile

← Back to main site

Home/ Threat Actors/ DragonForce

🇲🇾DragonForce

🇲🇾 DragonForce is a tracked threat actor in the Clankerusecase corpus. Attributed to MY. Primary motivation: Criminal. We map 14 detection use cases to this actor across 51 MITRE ATT&CK techniques, with 3 threat-intel articles citing them. Active in our corpus from 2026-03-19 to 2026-06-11.

crit 3

View full actor card → All threat actors

14Use cases

3Articles

51Techniques

0IOCs

Known aliases

DragonForceDragonForce Malaysia

Top techniques

T1021.002 · SMB/Windows Admin Shares T1027 · Obfuscated Files or Information T1059.001 · PowerShell

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1014 · Rootkit T1021.001 · Remote Desktop Protocol T1027.002 · Software Packing T1027.005 · Indicator Removal from Tools T1027.009 · Embedded Payloads T1037.001 · Logon Script (Windows)T1055 · Process Injection T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1059.006 · Python T1059.007 · JavaScript T1068 · Exploitation for Privilege Escalation T1070.004 · File Deletion T1071.001 · Web Protocols T1071.004 · DNS T1098.001 · Additional Cloud Credentials T1102.002 · Bidirectional Communication T1105 · Ingress Tool Transfer T1140 · Deobfuscate/Decode Files or Information T1176 · Software Extensions T1190 · Exploit Public-Facing Application T1195.001 · Compromise Software Dependencies and Development Tools T1195.002 · Compromise Software Supply Chain T1204.001 · Malicious Link T1204.002 · Malicious File T1204.004 · Malicious Copy and Paste T1218 · System Binary Proxy Execution T1219 · Remote Access Tools T1486 · Data Encrypted for Impact T1489 · Service Stop T1490 · Inhibit System Recovery T1528 · Steal Application Access Token T1539 · Steal Web Session Cookie T1543.003 · Windows Service T1555.003 · Credentials from Web Browsers T1562.001 · T1562.001 T1562.004 · T1562.004 T1562.006 · T1562.006 T1562.009 · T1562.009 T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1566.004 · Spearphishing Voice T1569.002 · Service Execution T1574.002 · T1574.002 T1588.001 · Malware

Detection use cases (14)

DragonForce ransomware pre-encryption chain: vssadmin shadow deletion + bcdedit recovery disable + service stop on the same host AI · profile SDD DragonForce affiliate initial access via SimpleHelp RMM exploitation (CVE-2024-57727) followed by reconnaissance AI · profile SDD Miasma worm GitHub commit-search C2 magic strings on command line or script Bespoke Miasma supply-chain worm leaked repo clone, install or fetch Bespoke Beaconing — periodic outbound to small set of destinations Internal Suspicious browser extension installation Internal Infostealer — non-browser process accessing browser cookie/login DBs Internal Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Remote service execution — PsExec / SMB lateral movement Internal Microsoft Teams external-tenant chat from unverified IT-helpdesk impersonator Internal RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Internal OAuth consent / suspicious app grant Internal

Threat-intel articles (3)

crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories · 2026-06-11

crit What the ransom note won’t say · 2026-04-20

crit EDR killers explained: Beyond the drivers · 2026-03-19