🇲🇾 DragonForce

Threat-actor battle card · maintained from public sources · last updated 2026-06-22 · also known as FireFlame, FuryStorm

CategoryRansomware cartel (RaaS)

AttributionOrigins in a former Malaysian hacktivist collective

First seenLate 2023

StatusActive

Rank#22

Recent victims · last ~9d2

All-time victims582

Primary targetsRetail, Manufacturing, Healthcare, Government, Transportation

Overview

DragonForce is a Ransomware-as-a-Service operation that emerged in late 2023 — reportedly from a former Malaysian hacktivist group — and rebranded as a "ransomware cartel" on 19 March 2025, letting affiliates build their own brands on DragonForce tooling under a white-label model. Currently #4 with 248 claimed victims YTD (broke its growth streak in May). Closely associated with Scattered Spider, which has deployed DragonForce ransomware.

Tradecraft

• Multi-variant payloads built from leaked LockBit 3.0 and Conti builders — can switch families quickly to evade prediction.
• Dual extortion: encrypt + exfiltrate, leak on DLS.
• Cartel model: recruits affiliates and even other RaaS crews, sharing infrastructure for a cut.

Notable recent victims

• High-profile UK retailers (June 2025 campaign)
• Manufacturing and retail targets across EU/US DLS batches

Assessment

The "cartel" structure and builder-agnostic payloads make DragonForce a moving target for signature-based defense. Its partnership with social-engineering crews like Scattered Spider raises the initial-access risk for large enterprises and their help desks.

Sources

• Trend Micro — Ransomware Spotlight: DragonForce
• LevelBlue — Inside DragonForce's Cartel Ambitions
• Halcyon — DragonForce

🗂️ Attacks & victims

All disclosed victims attributed to this actor, newest first.

June 2026

Jun 22 bits-pilani.ac.in DragonForce Ransomware · unknown · India 🟥 Claimed (leak-site) · 🇲🇾 Origins in a former Malaysian hacktivist collective · #22 active · 582 total · disclosed 3d ago · Sources: ransomware.live DLS

Jun 22 mihana-v.com DragonForce Ransomware · unknown · Russia 🟥 Claimed (leak-site) · 🇲🇾 Origins in a former Malaysian hacktivist collective · #22 active · 582 total · disclosed 3d ago · Sources: ransomware.live DLS

Jun 16 Tecfi SpA DragonForce Ransomware · unknown · Italy 🟥 Claimed (leak-site) · 🇲🇾 Origins in a former Malaysian hacktivist collective · #22 active · 582 total · disclosed 9d ago · Sources: ransomware.live DLS

May 2025

May 01 Harrods DragonForce Ransomware · retail · UK 🟩 Corroborated · 🇲🇾 Origins in a former Malaysian hacktivist collective · #22 active · 582 total · disclosed 420d ago · third UK retailer hit; attack confirmed 1 May 2025, access restricted to contain it · Sources: Acronis · Picus

April 2025

Apr 30 Co-op DragonForce Ransomware · retail · UK 🟩 Corroborated · 🇲🇾 Origins in a former Malaysian hacktivist collective · #22 active · 582 total · disclosed 421d ago · back-office & call-centre disruption; 10,000+ members' personal data exposed · Sources: Infosecurity

Apr 22 Marks & Spencer DragonForce Ransomware · retail · UK 🟩 Corroborated · 🇲🇾 Origins in a former Malaysian hacktivist collective · #22 active · 582 total · disclosed 429d ago · ~£300M profit hit; online orders & payments disrupted for weeks; customer + employee data threatened (Scattered Spider service-desk initial access) · Sources: BlackFog · Infosecurity

---

← All threat actors · Full victim database →