DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:13:27ZSOURCES: 14CRITICAL: 30
⚠ ACTIVE ALERTS
@FalconFeedsio CRITICAL — 🚨 Ransomware Alert: The Gentlemen RaaS group continues active DLS postings. Now at 478… /// @DarkWebInformer CRITICAL — 🚨 ServiceNow discloses June 5 security update tied to anomalous activity — KB3067321.… /// @MsftSecIntel CRITICAL — MSTIC analysis of The Gentlemen ransomware (tracked internally): self-propagating… /// @GossiTheDog CRITICAL — ServiceNow KB3067321 situation is worse than the vendor comms suggest. Advisory was gated… /// @AlvieriD CRITICAL — The '340M OnlyFans' listing on the leak forum is a compiled corpus — seller confirmed to…
30Critical Threats
15Active CVEs
1IOCs Tracked
14New Advisories
INTEL FEED/THREAT ACTORS/DRAGONFORCE + SCATTERED SPIDER (Alliance Update)
TLP:WHITETHREAT ACTOR DOSSIER // DRAGONFORCE-SCATTERED-SPIDER-ALLIANCEFIRST SEEN: DEC 2023

DRAGONFORCE + SCATTERED SPIDER (Alliance Update)

ALSO KNOWN AS: DragonForce: RansomBay, DragonForce Malaysia (origin); Scattered Spider: UNC3944, Octo Tempest, Muddled Libra, Starfraud, Scattered Lapsus$ Hunters
FROM:DMZ INTELLIGENCE DESK
ORIGIN:DragonForce: Malaysia (origin), now international criminal cartel; Scattered Spider: US/UK/Europe (English-speaking members)
ATTRIBUTION:ORGANIZED CRIME
STATUS:ACTIVE
FIRST OBSERVED:DEC 2023
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL82/100
RESOURCES82/100
PERSISTENCE85/100
STEALTH77/100
IMPACT91/100

SUBJECT PROFILE

DragonForce has evolved from a pro-Palestine hacktivist group into a self-styled ransomware 'cartel' offering a white-label infrastructure model where affiliates operate independent brands using DragonForce encryption, negotiation portals, and leak sites. Ranked 6th by victim volume (426 DLS postings) with 56 victims in March 2026 alone, the group absorbed displaced RansomHub affiliates in April 2025 and formalized a partnership with Scattered Spider. The alliance struck Marks & Spencer (April 2025), Co-op, and Harrods in a coordinated UK retail wave causing over £500M in M&S market cap loss. Law enforcement pressure on Scattered Spider is intensifying: alleged leader Tyler Buchanan pleaded guilty in early April 2026, and member 'Bouquet' (Peter Stokes, 19) was arrested at Helsinki Airport on April 10, 2026 and federally charged on April 28.

Financial extortion — ransomware deployment, data theft, and multi-million dollar ransom demands against high-profile enterprises

OPERATIONAL HISTORY

Vishing/helpdesk impersonation (Scattered Spider), SIM swapping, MFA push bombing, Evilginx AiTM phishing, NTDS.dit exfiltration, Conti V3 ChaCha8 encryptor, LockBit 3.0 RSA-1024/Salsa20 encryptor, BYOVD EDR killing, Cobalt Strike C2, SystemBC SOCKS5 proxy, Mimikatz credential dumping, LOTL (PowerShell/WMI), MEGA/WebDAV exfiltration, white-label affiliate branding

RETAIL
HOSPITALITY
GAMING
FINANCIAL SERVICES
TELECOMMUNICATIONS
MANAGED SERVICE PROVIDERS

KNOWN INFRASTRUCTURE

Two distinct encryption variants (Conti V3 fork + LockBit 3.0 derivative); SystemBC backdoor; Cobalt Strike; Tor-based DLS and negotiation portals; white-label RaaS builder (RansomBay); Devman and Mamona/Global sub-brands using DragonForce builder

ATTRIBUTED CAMPAIGNS

FILE DATE: APR 2025
UK Retail Wave (M&S / Co-op / Harrods)
Scattered Spider affiliates used DragonForce encryptor to devastate Marks & Spencer (encrypting VMware ESXi hosts), Co-op, and Harrods in a coordinated sector-targeting campaign causing over £500M in M&S market cap loss.
FILE DATE: MAR 2026
Continued High-Volume Operations
DragonForce posted 56 new victims in March 2026 alone, maintaining its █████████████ top-3 ransomware group alongside Qilin and The Gentlemen.
FILE DATE: APR 2026
Scattered Spider Leadership Prosecutions
Alleged leader Tyler Buchanan pleaded guilty to wire fraud in early April 2026; member Peter Stokes ('Bouquet', 19) arrested at Helsinki Airport on April 10, 2026 and federally charged on April 28, 2026 with wire fraud, conspiracy, and computer intrusion.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn