Since its inception in December 2023, DragonForce has become a powerful force in the realm of cybercrime. Using a sophisticated Ransomware-as-a-Service (RaaS) model, the group actively markets itself as a "cartel" in an effort to increase its influence and power. They are able to draw in a large network of affiliates and set themselves apart from typical criminal enterprises thanks to this strategic positioning.

Find out more Safe file exchange Cybersecurity Courses for training hackers Software for preventing cyber data loss News digest hacking Planning for incident response Solutions for endpoint security Monitoring of data breaches Managers of passwords Their ascent has been accompanied by a consistent change in strategy, making them a continual danger to international institutions.

DragonForce uses well-known dark web forums like BreachForums, RAMP, and Exploit for recruitment and promotion in order to support their growth. By providing special tools like "RansomBay," which enables customized payload generation, and specialized harassment calling services to put pressure on victims, they set themselves apart from the competition. Higher payment success rates are ensured by these operational vectors, which are made to maximize the financial and psychological impact on the targeted entities.

They provide a full suite that competes with well-known, respectable software companies by offering tools for team coordination and assistance with data analysis. According to S2W analysts, the group targeted 363 companies between December 2023 and January 2026 after first emerging. These attacks have been occurring more frequently, reaching a peak in December 2025 when 35 victims were reported in a single month.

This information demonstrates the group's expanding operational capabilities and their intention to launch attacks against a wider variety of sectors. Affiliate panel for DragonForce (Source: Medium) In addition to regular attacks, DragonForce has maintained hostile ties with other ransomware organizations and has occasionally attacked rivals at the infrastructure level. On the other hand, they have also looked for partnerships to improve their standing in the ecosystem.

Their desire to control the RaaS economy through both collaboration and conflict is evident in this intricate web of relationships. Technical Evaluation of Windows Binaries According to recent technical evaluations of the DragonForce Windows binaries, major structural changes have been made, but the fundamental encryption procedures and process termination techniques have not changed.

The appended metadata's updated structure (Source: Medium) The Bring Your Own Vulnerable Driver (BYOVD) method is still used by the ransomware to disable security procedures and guarantee successful encryption. Nevertheless, there have been changes made to the metadata structure that is attached to encrypted files. The size of the entire metadata was increased to 537 bytes by expanding the "Encryption Ratio" field from one byte to four bytes.

DragonForce ransomware execution flow (Source: Medium) Furthermore, a beta feature named "encryption_rules" in the most recent builder version enables operators to override encryption modes for particular file extensions. The malware uses full, partial, or header-based encryption depending on the size of the file if no specific rule is specified.

Before starting these processes, the ransomware uses the ChaCha8 algorithm to decrypt its embedded configuration. With the help of this new configuration option, attackers can precisely control how various data types are affected, adjusting the encryption process's speed and severity according to the victim's environment. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.