The DragonForce Cartel: Scattered Spider at the gate

Nov. 7, 2025, 10:20 a.m.

Description

DragonForce, a ransomware-as-a-service group active since 2023, has rebranded as a cartel and formed alliances with groups like Scattered Spider, LAPSUS$, and ShinyHunters. The group uses Conti-derived code and employs BYOVD attacks to terminate processes. DragonForce has expanded its affiliate program, allowing partners to white-label payloads and create variants. The group has exposed over 200 victims on its leak site, targeting various sectors. DragonForce's partnership with Scattered Spider, known for sophisticated social engineering techniques, has led to high-profile breaches. The group's ransomware samples show significant overlap with Conti's leaked source files and use ChaCha20 encryption.

External References

https://www.acronis.com/en/tru/posts/the-dragonforce-cartel-scattered-spider-at-the-gate/
https://otx.alienvault.com/pulse/690b1a8fb4a0df0cf6a16178
Tags
social engineering
ransomware
encryption
conti
byovd
dragonforce
affiliate program
mamona
devman
2025-11-05
scattered spider
global
cartel

Date

  • Created: Nov. 5, 2025, 9:36 a.m.
  • Published: Nov. 5, 2025, 9:36 a.m.
  • Modified: Nov. 7, 2025, 10:20 a.m.

Attack Patterns

  • Global
  • Devman
  • Mamona
  • DragonForce
  • Conti - S0575
  • DragonForce

Additional Informations

  • Retail
  • Technology
  • Insurance
  • Transportation