Drawing on insights from 582 full-spectrum DFIR investigations, Mjolnir Security reveals the uncharted forensic landscape of Windows 11. This intelligence briefing moves beyond legacy artifacts to expose the critical evidence sources modern adversaries leverage, including the Windows Subsystem for Android (WSA), covert channels in Microsoft Teams, and the persistent ledger [...]
The modern cyber threat landscape is increasingly characterized by specialization and collaboration, a trend exemplified by the potent, symbiotic relationship between the Scattered Spider initial access broker and the Dragon Force Ransomware-as-a-Service (RaaS) operation. These are not two disparate threats but rather two sides of a highly efficient and dangerous attack chain. Scattered Spider, a group of technically adept and socially savvy English-speaking actors, excels at penetrating the most hardened enterprise perimeters by targeting the human element and complex identity systems. Dragon Force, a formidable RaaS provider, leverages the robust, leaked codebases of notorious ransomware families to deliver the final, devastating impact.
This report provides an exhaustive analysis of both threat actors, detailing their individual operational playbooks and their collaborative methodology. The analysis demonstrates that a defensive strategy focused on only one of these groups is inherently flawed. Understanding Scattered Spider’s initial access techniques is critical for preventing the foothold that enables a Dragon Force attack, while understanding Dragon Force’s impact phase is essential for mitigating the ultimate business risk. This symbiotic model, bridging Western social engineering expertise with the RaaS infrastructure often associated with Eastern European cybercrime, represents a significant evolution in the cybercrime ecosystem.1 It underscores a shift where operational specialization and economic efficiency have superseded traditional geographic and linguistic barriers, creating a globalized cybercrime supply chain that presents a multifaceted and elevated threat to organizations worldwide.
1.2. Adversary Snapshot – Scattered Spider
Scattered Spider, also tracked under aliases such as UNC3944 and Octo Tempest, is a financially motivated cybercriminal collective that has been active since at least 2022.3 The group is notable for its composition of young, native English-speaking individuals, reportedly aged 19 to 22, operating primarily from Western countries like the United States and the United Kingdom.1 This demographic profile is a key differentiator, enabling them to conduct highly convincing social engineering campaigns against their targets.
Their core methodology eschews a reliance on zero-day software exploits in favor of a deep, psychological manipulation of people and a technical abuse of identity and access management (IAM) systems.3 They possess an expert-level understanding of corporate IT help desk workflows, which they exploit with precision to gain initial access, bypass multi-factor authentication (MFA), and establish deep, persistent footholds within target networks. Their operations are a masterclass in exploiting the “human firewall” and the inherent trust placed in corporate identity systems.
1.3. Adversary Snapshot – Dragon Force
Dragon Force emerged in late 2023, rapidly establishing itself as a significant player in the ransomware ecosystem.8 While some intelligence suggests a lineage connected to the pro-Palestinian hacktivist group “DragonForce Malaysia,” their current operational focus is unequivocally financial.9 The group operates as a “Ransomware-as-a-Service (RaaS) cartel,” a model that provides not just ransomware, but a full suite of infrastructure and support services to a network of affiliates.12
A critical factor in their rapid ascent is their technical foundation. Dragon Force’s ransomware payloads are not novel creations but are instead built upon the leaked source code of the infamous Conti and LockBit 3.0 ransomware families.12 This allowed them to bypass years of development, starting with a mature, multi-platform (Windows, Linux, VMware ESXi) weapon capable of causing maximum disruption. Their business model is designed for scalability and profitability, attracting affiliates with generous revenue splits and robust support, thereby lowering the barrier to entry for conducting high-impact ransomware attacks.
1.4. The Modern Kill Chain
The collaboration between Scattered Spider and Dragon Force illustrates a complete, end-to-end “as-a-service” attack kill chain. The typical operational flow proceeds as follows:
Initial Compromise (Scattered Spider): The attack begins with a highly targeted social engineering campaign orchestrated by Scattered Spider. This may involve SMS phishing (smishing), voice phishing (vishing) calls to the IT help desk, or MFA fatigue attacks to secure initial user credentials.3
Persistence and Entrenchment (Scattered Spider): Once inside, Scattered Spider focuses on establishing deep and redundant persistence. They abuse legitimate remote management tools, create rogue accounts, and, most critically, manipulate the organization’s identity provider (e.g., Okta, Azure AD) to create powerful backdoors that survive password resets and other standard remediation efforts.3
Handoff and Monetization (Dragon Force): With persistent, privileged access secured, the environment is handed off to a Dragon Force affiliate. This affiliate then performs internal reconnaissance, moves laterally to critical systems, exfiltrates sensitive data for double extortion, and finally deploys the Dragon Force ransomware payload to encrypt key assets, particularly virtualized environments, for maximum operational impact.8
This division of labor allows each group to focus on its core competency, resulting in a highly effective and difficult-to-defend threat. An alert for a Scattered Spider TTP should be treated as a high-priority precursor signal for a potential, large-scale ransomware event.
Threat Actor Profile: Scattered Spider (UNC3944, Octo Tempest)
2.1. Background, Aliases, and Origins
Scattered Spider is a prolific and financially motivated cybercriminal group that emerged in 2022 and has since become one of the most notable threats to large enterprises.1 The group operates under a wide array of aliases assigned by various security vendors and researchers, including
UNC3944, 0ktapus, Muddled Libra, Scatter Swine, Storm-0875, Octo Tempest, LUCR-3, Star Fraud, and Roasted 0ktapus.3 This multiplicity of names reflects their high operational tempo and broad impact across the industry.
The group’s composition is a significant departure from the typical profile of top-tier threat actors. It is believed to consist of a loose, decentralized collective of young individuals, aged 19-22, who are native English speakers residing primarily in the United States and the United Kingdom.1 This linguistic and cultural fluency is a core component of their success, allowing them to execute social engineering attacks with a level of authenticity that is difficult for non-native speakers to replicate. They reportedly coordinate their activities through online platforms like Telegram and Discord, operating more as a fluid network of skilled operators than a rigid, hierarchical organization.16 Despite several arrests of suspected members, the group’s decentralized nature has allowed it to demonstrate significant resilience and continue operations.16
2.2. Modus Operandi: The Social Engineering and Identity-Centric Playbook
Scattered Spider’s defining characteristic is its strategic mastery of social engineering and its focus on the abuse of identity systems. Their playbook prioritizes the manipulation of people over the exploitation of software vulnerabilities. They possess a granular understanding of corporate IT and help desk workflows, which they systematically exploit to achieve their objectives.
Their attacks often begin with meticulously researched pretexting. Operators will gather personal information on employees and leverage internal documentation or LinkedIn data to craft believable scenarios.6 They frequently impersonate IT staff or new employees, using phrases like “I’m a new employee and I can’t log in” or “I lost my phone and need my MFA reset” to convince help desk personnel to bypass established security procedures.6 This approach allows them to obtain password resets or temporary MFA codes, effectively turning an organization’s support infrastructure into an attack vector. In some cases, when initial attempts fail, they have escalated to coercion, using threats of physical harm to compel victims into providing credentials.18 Their ability to infiltrate and even monitor incident response communications on platforms like Microsoft Teams and Slack further highlights their audacity and deep understanding of their victims’ internal processes.16
2.3. Victimology and Target Evolution
Scattered Spider’s targeting strategy has evolved significantly, mirroring their progression from credential theft to a full-fledged ransomware affiliate. Initially, their operations were narrowly focused on the telecommunications, Business Process Outsourcing (BPO), and technology sectors.3 This focus was strategic, as compromising these entities provided them with the access needed to conduct SIM-swapping attacks against high-value individuals in the cryptocurrency space.2
Beginning in 2023, coinciding with their affiliation with ransomware groups like ALPHV/BlackCat, their targeting aperture widened dramatically.17 They pivoted to “big game hunting,” pursuing large enterprises across a diverse range of industries, including hospitality (MGM Resorts, Caesars Entertainment), retail, finance, media, and manufacturing.3 This strategic shift indicates a clear evolution in their monetization model, moving from direct fraud to the high-stakes, high-reward world of data extortion and ransomware. Their recent focus on impersonating and targeting IT service providers and third-party contractors, such as Tata Consultancy Services (TCS), demonstrates a sophisticated understanding of supply chain risk, allowing them to compromise a single trusted vendor to gain access to a multitude of its clients.20
The following analysis provides a detailed breakdown of Scattered Spider’s Tactics, Techniques, and Procedures (TTPs), mapped to the MITRE ATT&CK framework (G1015). This structured approach illuminates their operational lifecycle, from initial intrusion to final impact.
3.1. Initial Access (TA0001)
Scattered Spider employs a multi-pronged strategy for initial access that almost exclusively targets the human element.
T1566: Phishing: The group are masters of phishing, particularly Smishing (T1566.004) and Vishing.3 They send targeted SMS messages to employees containing links to credential harvesting sites. These campaigns are often followed by phone calls where they impersonate IT staff to walk the victim through the process of entering their credentials on a fake portal.17 They leverage sophisticated phishing kits like EIGHTBAIT and the Evilginx framework to create pixel-perfect replicas of corporate single sign-on (SSO) pages, designed to capture both passwords and session cookies to bypass MFA.3
T1621: Multi-Factor Authentication Request Generation: Known as “MFA Fatigue” or “Push Bombing,” this technique involves overwhelming a target with a high volume of MFA push notifications after their password has been compromised. The goal is that the victim will eventually accept a prompt out of annoyance or confusion, granting the attacker access.16
T1451: SIM Card Swap: A hallmark of their earlier campaigns, this technique involves socially engineering mobile carrier employees to transfer a victim’s phone number to an attacker-controlled SIM card. This gives the attacker control over the victim’s voice calls and SMS messages, allowing them to intercept one-time passwords (OTPs) and other sensitive communications.3
T1078: Valid Accounts: The direct outcome of a successful phishing attack is the acquisition of valid credentials, which they use to log in to corporate resources as a legitimate user.3
T1190: Exploit Public-Facing Application: While less common, they have been observed exploiting vulnerabilities for initial access, such as CVE-2021-35464 in the ForgeRock OpenAM server.2
3.2. Execution (TA0002) & Persistence (TA0003)
Once inside, Scattered Spider’s primary objective is to establish resilient and redundant persistence.
T1204: User Execution: A key part of their social engineering involves convincing victims, particularly IT help desk staff, to manually run legitimate software that provides the attackers with remote access.17
T1219: Remote Access Software: This is the cornerstone of their persistence strategy. They are known to install a wide variety of legitimate Remote Monitoring and Management (RMM) tools, effectively “living off the land” with applications that are often allowlisted. Their arsenal includes AnyDesk, ScreenConnect, TeamViewer, LogMeIn, ConnectWise Control, Pulseway, and RustDesk.2 A crucial insight into their methodology is the deployment of multiple RMM tools on a single compromised host. This creates redundancy; if one backdoor is discovered and removed, others remain active.3
T1136: Create Account: To further entrench themselves, they create new user accounts within the victim’s Active Directory or cloud environment, providing another avenue for access.17
T1556.006: Modify Authentication Process: Multi-Factor Authentication: After compromising a user’s account, they will often enroll their own device (e.g., a mobile phone for push notifications) into the MFA configuration. This is a powerful persistence mechanism, as it ensures they can still authenticate even if the victim’s password is reset.6
T1133: External Remote Services: They leverage legitimate, pre-existing remote access solutions like corporate VPNs and Citrix environments to maintain persistent access to the network.17
Scattered Spider employs sophisticated techniques to escalate privileges and dismantle security controls.
T1068: Exploitation for Privilege Escalation: The group utilizes a “Bring Your Own Vulnerable Driver” (BYOVD) attack. They deploy a legitimate but vulnerable Intel Ethernet diagnostics driver, iqvw64.sys (associated with CVE-2015-2291), to execute code with kernel-level privileges.2
T1562.001: Impair Defenses: Disable or Modify Tools: The primary purpose of the BYOVD attack is to gain the privileges necessary to terminate security software. They use this kernel-level access to kill processes associated with Endpoint Detection and Response (EDR) products and other security monitoring tools, effectively blinding the security team.3 They also make attempts to delete host-based firewall profiles and create exclusions for Windows Defender.3
T1484.002: Domain or Tenant Policy Modification: Trust Modification: This is one of their most advanced and dangerous techniques. After gaining administrative access to a cloud identity provider like Okta or Azure AD, they add a new, malicious federated identity provider under their control. This establishes a trust relationship that allows them to forge SAML tokens for any user in the organization, a technique sometimes called “Golden SAML.” This provides them with a stealthy, powerful, and persistent backdoor that can grant them Global Admin-equivalent privileges and is extremely difficult to detect.6
T1564.008: Hide Artifacts: Email Hiding Rules: To evade detection by security personnel, they have been observed creating inbox rules on compromised email accounts (especially those of IT and security staff) to automatically and silently delete alert notifications from security vendors.17
3.4. Credential Access (TA0006)
With defenses disabled, the group moves to harvest credentials across the environment.
T1003: OS Credential Dumping: They use well-known tools like Mimikatz and secretdump to extract credentials from memory, particularly from the LSASS process.3 Their techniques include more advanced methods such as DCSync (T1003.006) to impersonate a domain controller and request password data, and extracting the Active Directory database file, NTDS.dit, by creating volume shadow copies (T1003.003).17
T1539: Steal Web Session Cookie: They have used infostealer malware like Raccoon Stealer to harvest browser session cookies. These cookies can be replayed to gain access to web applications without needing a username or password, often bypassing MFA.16
3.5. Discovery (TA0007) & Lateral Movement (TA0008)
Scattered Spider methodically maps the environment to identify high-value targets and pathways for movement.
T1018: Remote System Discovery: They enumerate the network to discover other systems, with a particular focus on identifying critical infrastructure like VMware vCenter servers.17
T1538: Cloud Service Dashboard: In cloud environments, they abuse native management tools for discovery. A key example is their use of AWS Systems Manager (SSM) Inventory to get a detailed list of all EC2 instances and their configurations, which informs their lateral movement strategy.6
T1021: Remote Services: They move laterally across the network using standard enterprise protocols, including RDP (T1021.001) and SSH (T1021.004).3
T1021.007: Remote Services: Cloud Services: A signature TTP for the group is to leverage their access to the victim’s cloud tenant (AWS or Azure) to create new virtual machines. These attacker-controlled VMs, residing within the victim’s own cloud environment, serve as internal jump boxes and C2 relays, allowing their traffic to blend in and bypass perimeter network controls.6
T1047: Windows Management Instrumentation (WMI): They use WMI for remote command execution and lateral movement, often facilitated by frameworks like Impacket.17
3.6. Collection (TA0009) & Exfiltration (TA0010)
The primary goal before impact is the large-scale theft of sensitive data for extortion.
T1530: Data from Cloud Storage: They systematically access and collect data from cloud-based repositories, such as victim OneDrive and SharePoint sites, searching for sensitive documents.17
T1213: Data from Information Repositories: A particularly brazen technique involves searching through the victim’s internal communication platforms like Slack, Microsoft Teams, and Microsoft Exchange. They specifically look for conversations related to the ongoing incident response, which gives them real-time intelligence on the defenders’ actions and allows them to adapt their tactics to stay ahead.16 They also target internal code repositories for valuable intellectual property.17
T1567.002: Exfiltration to Cloud Storage: Data is exfiltrated to publicly available file-sharing services that are difficult to block, such as MEGA and transfer[.]sh.17
T1572: Protocol Tunneling: They use legitimate tools like ngrok to create encrypted tunnels from inside the compromised network out to their own infrastructure. This allows them to securely exfiltrate data and maintain C2 communications, often bypassing firewall rules.5
3.7. Impact (TA0040)
While often acting as an access broker, Scattered Spider is fully capable of executing the final impact phase themselves.
T1486: Data Encrypted for Impact: The group has been directly attributed to the deployment of BlackCat/ALPHV ransomware. They show a preference for targeting VMware ESXi servers, allowing them to encrypt dozens or even hundreds of virtual machines simultaneously, causing catastrophic operational disruption.3
T1657: Financial Theft: This is the ultimate objective of their operations, achieved either through double extortion (demanding payment for a decryptor and for the non-release of stolen data) or by selling their hard-won access to a dedicated ransomware affiliate like Dragon Force.17
The following table summarizes the key TTPs employed by Scattered Spider.
Table 1: Scattered Spider TTPs Mapped to MITRE ATT&CK (G1015)
Tactic
Technique ID
Technique Name
Description of Use by Scattered Spider
Key Tools/Commands
Initial Access
T1566
Phishing
Voice (Vishing) and SMS (Smishing) campaigns targeting employees and help desks.
Evilginx, EIGHTBAIT
Initial Access
T1621
MFA Request Generation
“MFA Fatigue” attacks, spamming users with push notifications until one is accepted.
N/A
Persistence
T1219
Remote Access Software
Installation of multiple, legitimate RMM tools for redundant access.
AnyDesk, ScreenConnect, TeamViewer
Persistence
T1556.006
Modify Authentication Process: MFA
Enrolling attacker-controlled devices for MFA on compromised accounts.
Okta/Azure AD consoles
Priv. Escalation
T1068
Exploitation for Priv. Escalation
BYOVD attack using a vulnerable Intel driver to gain kernel-level access.
iqvw64.sys (CVE-2015-2291)
Defense Evasion
T1562.001
Impair Defenses
Using kernel-level access from BYOVD to terminate EDR/AV processes.
Malicious signed driver (POORTRY)
Defense Evasion
T1484.002
Domain Trust Modification
Adding a malicious federated IdP to Okta/Azure AD to forge SAML tokens.
AADInternals, Okta APIs
Credential Access
T1003
OS Credential Dumping
Dumping credentials from LSASS memory after disabling EDR.
Mimikatz, secretdump
Lateral Movement
T1021.007
Remote Services: Cloud Services
Creating new VMs in the victim’s AWS/Azure tenant to use as jump boxes.
AWS/Azure APIs
Collection
T1213
Data from Info Repositories
Monitoring victim’s Slack/Teams channels for IR-related communications.
N/A
Exfiltration
T1572
Protocol Tunneling
Using ngrok to create outbound tunnels for C2 and data exfiltration.
ngrok
Impact
T1486
Data Encrypted for Impact
Deployment of BlackCat/ALPHV ransomware, targeting VMware ESXi hosts.
BlackCat/ALPHV
Scattered Spider: Indicators of Compromise (IOCs)
This section provides a catalog of known Indicators of Compromise (IOCs) associated with Scattered Spider’s operations. These artifacts can be used by security teams to hunt for and detect the group’s activity within their environments.
4.1. Network IOCs
Scattered Spider’s network infrastructure is dynamic, but certain patterns and indicators have been consistently observed.
Domains: The group registers a high volume of phishing domains, often typosquatting the names of their targets or common SSO providers. A key strategy is the impersonation of technology vendors, particularly identity providers like Okta, to harvest high-value credentials.20 They have also been observed using dynamic DNS services, such as subdomains of it[.]com, which makes their infrastructure harder to track and block via traditional domain reputation.22
IP Addresses & ASNs: Analysis of their infrastructure shows a consistent preference for hosting services from providers known for ease of registration and lax oversight, including DigitalOcean, Vultr, and BitLaunch.19 Monitoring for suspicious traffic originating from or communicating with these ASNs can be a valuable detection signal.
Table 2: Sample Network IOCs
Type
Indicator
Description/Context
First Seen
Source
Domain
twitter-okta[.]com
Domain previously owned by Twitter, later registered by Scattered Spider for phishing.
Oct 2024
22
Dynamic DNS
*[.]it[.]com
Use of a dynamic DNS service to host malicious subdomains, complicating blocking.
2025
22
ASN
AS14061 (DigitalOcean)
Frequently used hosting provider for C2 servers and phishing sites.
2024
19
ASN
AS20473 (Vultr)
Frequently used hosting provider for C2 servers and phishing sites.
2024
19
ASN
AS60068 (BitLaunch)
Frequently used hosting provider that accepts cryptocurrency payments.
2024
19
Exfil Service
transfer[.]sh
Legitimate file-sharing service used for data exfiltration.
Late 2022
18
Exfil Service
mega[.]nz
Legitimate cloud storage service used for data exfiltration.
N/A
17
4.2. Host-Based IOCs
These indicators can be found on compromised endpoints and servers.
File Hashes: Known cryptographic hashes of malware and tools used by the group. This includes multiple versions of their custom malware, Spectre RAT, as well as the vulnerable driver used in BYOVD attacks.
Malware & Tools: The group employs a mix of custom malware, commodity infostealers, and a large number of legitimate dual-use tools. The presence of these tools, especially in unusual locations or executed by non-administrative users, is a strong indicator of compromise.
Common location for adding persistence for malware or RMM tools.
7
4.3. Exploited Vulnerabilities
Scattered Spider is not primarily an exploit-driven group, but they have used specific vulnerabilities when it suits their operational goals.
CVE-2015-2291: A privilege escalation vulnerability in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys). This is the core of their BYOVD technique, allowing them to gain kernel-level privileges to disable security software.2
CVE-2021-35464: A pre-authentication remote code execution vulnerability in the ForgeRock OpenAM application server. This has been used as an initial access vector in some campaigns.2
Threat Actor Profile: Dragon Force Ransomware
5.1. Background and Disputed Origins
Dragon Force ransomware emerged as a notable threat in late 2023, quickly gaining notoriety for its aggressive tactics and rapid accumulation of victims.8 The group’s origins are a subject of debate among threat intelligence analysts. One prominent theory links the ransomware operation to a pre-existing hacktivist collective known as “DragonForce Malaysia”.9 This hacktivist group was known for politically motivated attacks, often with pro-Palestinian sentiments, targeting entities in Israel and India.10
However, another body of evidence points towards a more conventional, financially motivated cybercrime operation, possibly with ties to the Russian-speaking sphere.9 This assessment is supported by their use of Russian-linked infrastructure, their recruitment efforts on the Russian-language RAMP forum, and their operational focus on extortion.9 Regardless of their ultimate origin or initial motivations, the group’s current modus operandi is squarely aligned with that of a sophisticated, financially driven ransomware enterprise.9
5.2. Operational Model: The RaaS Cartel
Dragon Force has evolved its business model from a standard Ransomware-as-a-Service (RaaS) program into what can be described as a “RaaS cartel”.12 This model is designed to maximize their reach and profitability by lowering the barrier to entry for affiliates. They actively recruit affiliates on dark web forums like RAMP, offering highly competitive terms, including an 80% share of any successful ransom payment.25
The “cartel” model extends beyond simply providing a ransomware payload. Dragon Force offers a comprehensive, white-label platform that allows affiliates to run their own ransomware campaigns, sometimes even under their own branding.12 The core group handles malware development, maintenance of the data leak site, and payment negotiations, while affiliates focus on gaining access and deploying the ransomware. To further empower their partners, Dragon Force provides a suite of support services, including “call services” to directly phone and pressure victims, and NTLM/Kerberos hash decryption services, which are invaluable for post-compromise activities in Active Directory environments.26 This full-service approach makes them a highly attractive partner for access brokers like Scattered Spider.
5.3. Technical Foundations: Built on Leaked Code
A critical element of Dragon Force’s rapid rise to prominence is their technical foundation. Instead of investing the significant time and resources required to develop a ransomware strain from scratch, they built their operation on the leaked source code of two of the most successful ransomware families in history: Conti and LockBit 3.0 (LockBit Black).9
This strategic decision provided them with an immediate, mature, and feature-rich weapon. The leaked code gave them a multi-platform payload capable of encrypting Windows, Linux, and, crucially, VMware ESXi environments, a key target for maximizing operational disruption.9 They were able to take this tested and robust codebase and modify it for their own purposes, adding custom features and integrating it into their advanced affiliate builder panel.25 This phenomenon highlights a broader trend in the cybercrime ecosystem: the commoditization of advanced malware. The public leaks of the Conti and LockBit builders have permanently lowered the barrier to entry, enabling new groups like Dragon Force to emerge and compete without the prerequisite of deep malware development expertise. This has led to a more fractured and competitive RaaS market, where operators must offer superior service and financial terms to attract skilled affiliates. For defenders, this means the threat is no longer from a few monolithic ransomware brands, but from a diverse and growing swarm of agile groups wielding similarly potent tools.
The tactics, techniques, and procedures of Dragon Force and its affiliates are a hybrid of established methods inherited from the Conti and LockBit playbooks, combined with their own operational innovations.
6.1. Initial Access (TA0001)
Dragon Force affiliates employ a variety of common techniques to gain their initial foothold.
T1566: Phishing: This is a primary initial access vector. Affiliates conduct phishing campaigns using malicious email attachments or links to steal credentials or deliver an initial malware loader.8
T1190: Exploit Public-Facing Application: They actively scan for and exploit known vulnerabilities in internet-facing systems. Notable examples include Log4Shell (CVE-2021-44228) and, more recently, a set of critical vulnerabilities in the SimpleHelp RMM tool used by Managed Service Providers (MSPs).8
T1133: External Remote Services: A common technique is to conduct brute-force or credential stuffing attacks against exposed remote services like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs).8
T1199: Trusted Relationship: In a highly impactful supply chain attack methodology, they target and compromise MSPs. By exploiting the MSP’s trusted access to its clients, they can pivot and deploy ransomware across multiple downstream organizations simultaneously.13
6.2. Execution (TA0002) & Persistence (TA0003)
Once on a system, they use common methods to execute code and ensure their access survives a reboot.
T1059.001: PowerShell: PowerShell is used extensively for fileless execution of commands, downloading additional tools, and disabling security features.12
T1053.005: Scheduled Task: They create scheduled tasks using built-in Windows utilities like schtasks.exe or the legacy at command to execute their malware at specific times or upon system startup, providing a reliable persistence mechanism.12
T1547.001: Registry Run Keys / Startup Folder: A classic persistence technique, they add entries to the Run keys in the Windows Registry to ensure their payloads are launched every time a user logs in.25
T1543.003: Create or Modify System Process: Windows Service: To achieve persistence with high privileges, they install their backdoors or tools as new Windows services configured to start automatically.25
T1219: Remote Access Software: Affiliates may install their own preferred remote access tools, such as AnyDesk, to maintain an interactive C2 channel separate from the primary malware.29
6.3. Defense Evasion (TA0005)
A critical phase of the attack involves dismantling the target’s security posture.
T1562.001: Impair Defenses: Dragon Force affiliates will attempt to disable or kill processes associated with antivirus and EDR products. In some cases, they employ BYOVD techniques, similar to Scattered Spider, to gain kernel-level privileges for this purpose.12
T1070: Indicator Removal: To frustrate forensic analysis and incident response, they systematically clear Windows Event Logs using tools like wevtutil.exe and delete the malicious files they used during the intrusion (T1070.001, T1070.004).12
T1490: Inhibit System Recovery: This is a crucial step to increase the likelihood of a ransom payment. They execute commands to delete Volume Shadow Copies using vssadmin.exe or WMI, removing the victim’s ability to perform a quick, local restoration of encrypted files.12
T1027: Obfuscate Files or Information: The ransomware payload itself is often packed or obfuscated to evade static, signature-based detection by security products.28
Before deploying ransomware, the actors conduct thorough internal reconnaissance.
T1003: OS Credential Dumping: They use tools like Mimikatz to dump credentials from the LSASS process memory, which provides them with plaintext passwords and hashes for lateral movement.25
T1083: File and Directory Discovery: They use built-in commands like dir or specialized tools like FileSeek to search the filesystem for files containing sensitive data (e.g., documents, spreadsheets, databases) targeted for exfiltration.10
T1482: Domain Trust Discovery: A key activity is mapping the Active Directory environment. They use command-line tools like ADFind and PingCastle to enumerate domain users, groups, computers, and trust relationships, helping them identify high-privilege accounts and critical servers.8
T1046: Network Service Discovery: They use network scanning tools like SoftPerfect Network Scanner or Advanced IP Scanner to discover other live hosts on the network and identify open ports and services that can be targeted for lateral movement.8
6.5. Lateral Movement (TA0008) & Command and Control (TA0011)
Using the information gathered, they move across the network to expand their foothold.
T1021.001: Remote Desktop Protocol: RDP is a favored method for lateral movement. Using credentials harvested during the credential access phase, they can log in to other servers interactively, providing a graphical interface to deploy tools and the final ransomware payload.8
T1071.001: Application Layer Protocol: For command and control, they rely on sophisticated post-exploitation frameworks like Cobalt Strike. The Cobalt Strike Beacon communicates over standard web protocols (HTTP/HTTPS), allowing its traffic to blend in with legitimate web browsing and evade simple network-based detection. They also use proxy malware like SystemBC to create stealthy C2 tunnels.12
6.6. Impact (TA0040)
The final stage of the attack is designed to cause maximum disruption and force a payment.
T1486: Data Encrypted for Impact: The core of the operation is the deployment of the Dragon Force ransomware. The payload encrypts files on targeted systems, appending a custom extension (e.g., .dragonforce_encrypted) and dropping a ransom note (e.g., README.txt) in each directory.27 They place a high priority on encrypting VMware ESXi hosts, which can take an entire virtualized infrastructure offline with a single action, dramatically increasing the pressure on the victim.8
T1491: Defacement: While their primary motivation is financial, their potential hacktivist roots are sometimes visible in tactics like website defacement, used to publicly shame a victim or make a political statement.10
The following table summarizes the key TTPs employed by Dragon Force and its affiliates.
Table 4: Dragon Force TTPs Mapped to MITRE ATT&CK
Tactic
Technique ID
Technique Name
Description of Use by Dragon Force
Key Tools/Commands
Initial Access
T1190
Exploit Public-Facing Application
Exploiting known vulnerabilities like Log4Shell and flaws in RMM tools.
Log4Shell, SimpleHelp exploits
Initial Access
T1133
External Remote Services
Brute-force and credential stuffing attacks against exposed RDP and VPNs.
N/A
Persistence
T1053.005
Scheduled Task
Using schtasks.exe to schedule execution of malware for persistence.
schtasks.exe
Defense Evasion
T1490
Inhibit System Recovery
Deleting Volume Shadow Copies to prevent easy file recovery.
vssadmin.exe, WMI
Defense Evasion
T1070.001
Clear Windows Event Logs
Using wevtutil.exe to erase logs and hide traces of activity.
wevtutil.exe
Credential Access
T1003
OS Credential Dumping
Using Mimikatz to extract passwords and hashes from LSASS memory.
Mimikatz
Discovery
T1482
Domain Trust Discovery
Using ADFind to enumerate Active Directory objects and identify key targets.
ADFind, PingCastle
Lateral Movement
T1021.001
Remote Desktop Protocol
Using stolen credentials to move laterally between systems via RDP.
RDP
Command & Control
T1071.001
Application Layer Protocol
Using Cobalt Strike for stealthy, feature-rich command and control over HTTP/S.
Cobalt Strike, SystemBC
Impact
T1486
Data Encrypted for Impact
Encrypting files on Windows, Linux, and VMware ESXi hosts for double extortion.
Dragon Force ransomware
Dragon Force: Indicators of Compromise (IOCs)
This section catalogs the known Indicators of Compromise (IOCs) associated with Dragon Force ransomware operations. These artifacts are critical for detection and incident response efforts.
7.1. Network IOCs
Dragon Force’s network infrastructure includes their data leak sites and potentially C2 servers, although the latter are often ephemeral and specific to each affiliate’s campaign.
Data Leak Sites (Onion): The most definitive network IOCs for Dragon Force are the Tor .onion addresses of their data leak sites, where they publish stolen data from non-paying victims. These sites are a core part of their double extortion strategy.
C2 Infrastructure: While specific C2 IPs are transient, intelligence has pointed to the use of Russian-linked infrastructure for some of their operations.9
These indicators can be identified on compromised endpoints and servers, providing direct evidence of a Dragon Force intrusion.
File Hashes: Specific SHA256 hashes have been identified for various components of the Dragon Force ransomware and the tools used by its affiliates.
Ransomware Artifacts: The presence of ransom notes and files with specific extensions are clear signs of impact.
Ransom Note Names: A common name for the ransom note file is README.txt.27
File Extensions: The default file extension appended to encrypted files is .dragonforce_encrypted. However, a key feature of their affiliate builder is that this extension is customizable, so it may vary between attacks.25
Tools and Malware: Dragon Force affiliates use a consistent set of well-known hacking tools to facilitate their attacks. The presence of these tools outside of legitimate administrative or security testing contexts is highly suspicious. Their arsenal includes Cobalt Strike, Mimikatz, SystemBC, AdFind, SoftPerfect Network Scanner, PingCastle, and FileSeek.8
Default file extension appended to encrypted files (customizable).
25
Ransom Note
README.txt
Common filename for the ransom note left by the malware.
27
Tool
AdFind.exe
Command-line tool for Active Directory enumeration, frequently used for discovery.
8
Tool
SystemBC
SOCKS5 proxy malware used for stealthy C2 communications.
8
7.3. Ransomware Builder and Configuration
Understanding the capabilities of the Dragon Force builder is key to anticipating the variations in their attacks.
Leaked Codebase: The ransomware is built using the leaked builders of LockBit Black and Conti, inheriting their features and capabilities.14
Customization: The affiliate builder panel offers extensive customization options. Affiliates can configure the encryption mode (e.g., full file, percentage, header), define file paths and types to include or exclude, customize the content of the ransom note, and change the encrypted file extension.25 This means that IOCs like file extensions and note contents can differ from one affiliate’s campaign to another, making detection based on these artifacts less reliable than detection based on underlying behaviors.
Strategic Mitigation and Hardening Recommendations
Defending against the combined threat of Scattered Spider and Dragon Force requires a multi-layered, defense-in-depth strategy that addresses the entire attack chain, from the human element to technical controls and response planning. The following recommendations synthesize guidance from multiple security advisories and research reports.
8.1. Countering Social Engineering: The Human Layer
Because Scattered Spider’s primary attack vector is the human employee, strengthening this layer is paramount.
Intensive Help Desk Training: IT help desk and support staff are on the front lines and must be treated as a critical security control. They require intensive, recurring training focused specifically on recognizing the social engineering tactics used by Scattered Spider, such as pretexting, urgency, and impersonation. Implement and enforce strict, non-bypassable identity verification protocols for all requests involving password resets or MFA device changes. No exceptions should be made.16
User Awareness and Phishing Simulation: Conduct regular, realistic phishing and smishing awareness training for all employees.8 This should go beyond simple email phishing and include simulations of the vishing and smishing attacks favored by this group. The goal is to build a culture of healthy skepticism towards unsolicited requests for credentials or actions.
8.2. Securing the Identity Perimeter
Scattered Spider’s abuse of identity systems requires specific hardening of the identity and access management infrastructure.
Phishing-Resistant MFA: Where possible, enforce the use of phishing-resistant MFA, such as FIDO2/WebAuthn hardware tokens. These methods are not susceptible to credential phishing or push bombing attacks.
Harden Identity Provider Configurations: Implement strict change control and robust alerting for any modifications to the identity infrastructure. This includes creating high-severity alerts for the addition of new federated identity providers, changes to trust relationships, and modifications to conditional access policies.6
Control MFA Enrollment: Require administrator approval or a more stringent, multi-factor verification process for the enrollment of any new MFA device. This prevents an attacker from easily adding their own device to a compromised account.6
Enforce Least Privilege: Strictly enforce the principle of least privilege across both on-premises Active Directory and cloud IAM platforms (Azure AD, AWS IAM). User accounts should only have the minimum permissions necessary to perform their roles. This limits the blast radius if an account is compromised.8
8.3. Endpoint and Network Defense-in-Depth
Technical controls are essential for preventing malware execution, lateral movement, and impact.
Application Control/Allowlisting: Implement application control policies to block the execution of unauthorized software, with a specific focus on the RMM tools known to be abused by Scattered Spider (AnyDesk, TeamViewer, etc.). If these tools are required for legitimate business, their use should be restricted to authorized IT personnel and systems.16
Prevent BYOVD Attacks: Deploy endpoint controls that can prevent the loading of unauthorized or known-vulnerable kernel drivers. This includes enabling features like Microsoft’s Recommended Driver Block List and Hypervisor-Protected Code Integrity (HVCI).12 Ensure EDR solutions have robust tamper protection enabled.
Network Segmentation: Implement network segmentation to inhibit an attacker’s ability to move laterally from a compromised workstation to critical servers. Segregate user networks from server networks, and production environments from development environments.16
Restrict and Monitor Remote Services: Secure and heavily monitor all remote access services. Close any RDP ports that are open to the internet. Enforce strong, unique passwords and account lockout policies to deter brute-force attacks. Log and alert on all remote administrative access.12
8.4. Incident Response and Recovery
A resilient recovery capability is the last line of defense against a successful ransomware attack.
Immutable and Offline Backups: Maintain multiple copies of critical data, with at least one copy stored offline and/or in an immutable format. This ensures that even if the production network and online backups are encrypted, a clean copy of the data exists for restoration.16
Test Incident Response Plans: Regularly develop, update, and test the organization’s incident response (IR) plan. These tests should include tabletop exercises that simulate a sophisticated, multi-stage attack like the one perpetrated by Scattered Spider and Dragon Force. This ensures that all stakeholders understand their roles and responsibilities in a crisis.3
Conclusion: Forging a Resilient Defense with Mjolnir Security
The collaborative onslaught of Scattered Spider and Dragon Force represents more than just another threat; it signifies a fundamental evolution in the cybercrime landscape. We are now facing a globalized, specialized “as-a-service” ecosystem where mastery of social engineering is seamlessly integrated with the devastating impact of mature, weaponized ransomware. A defense strategy rooted in legacy tools or focused on singular threats is no longer sufficient. To counter this multi-faceted and persistent adversary, organizations require an equally sophisticated, intelligence-led, and resilient security partner.
This is where Mjolnir Security provides critical value. We are built to defend against the modern kill chain. Our services are not generic; they are precision-engineered to counter the specific TTPs wielded by groups like Scattered Spider and Dragon Force, transforming your security posture from reactive to resilient.
How Mjolnir Security Can Help
Our approach is built on a deep understanding of the adversary’s playbook. We directly address the critical vulnerabilities exploited in this attack chain through a suite of specialized services:
1. Fortifying the Human Layer:
We recognize that your people are your primary perimeter. Our Human Layer Defense Program goes beyond standard awareness training.
Advanced Help Desk Shielding: We provide intensive, scenario-based training for your IT support staff, simulating the exact vishing and pretexting tactics used by Scattered Spider to build a robust, verification-first mindset.
Realistic Attack Simulation: Our phishing, smishing, and vishing simulations mimic real-world campaigns, conditioning your entire organization to recognize and report sophisticated social engineering attempts.
2. Hardening the Identity Perimeter:
Identity is the new battlefield. Our Identity & Access Resilience Service secures your most critical assets.
MFA & IdP Fortification: We guide you through the deployment of phishing-resistant MFA (FIDO2) and conduct deep audits of your Okta and Azure AD configurations, implementing custom, high-fidelity alerts for dangerous activities like the creation of new federated trusts or suspicious MFA enrollments.
Privilege & Access Control: We help you implement and enforce a strict Zero Trust and least-privilege model, ensuring that if an account is compromised, the blast radius is contained.
3. Building a Defense-in-Depth Architecture:
We assume a breach will occur and build your defenses to contain and neutralize it.
Endpoint & Network Control: We work with you to implement robust application allowlisting to block unauthorized RMM tools, deploy kernel-level protection against BYOVD attacks, and design effective network segmentation strategies that choke off lateral movement.
Proactive Threat Hunting: Our managed detection and response (MDR) team leverages proprietary intelligence, actively hunting for the subtle signs of a Scattered Spider or Dragon Force intrusion within your environment 24/7.
4. Ensuring Business Resilience & Recovery:
When impact is imminent, a tested plan is your most valuable asset.
Incident Response Readiness: We help you develop and pressure-test your incident response plan with realistic tabletop exercises that simulate this end-to-end attack chain, ensuring your team is prepared to act decisively.
Immutable Recovery Strategy: We architect and validate a robust, multi-tiered backup strategy that includes immutable and offline copies of your critical data, guaranteeing your ability to recover without paying a ransom.
The threat is specialized. Your defense must be too. Partner with Mjolnir Security to move beyond fear and build a proactive, intelligent, and resilient defense capable of withstanding the most sophisticated attacks of today and tomorrow.
The dawn of 2025 brings with it a cyber battlefield characterized by an accelerating pace of innovation – not just from defenders, but critically, from those who seek to exploit ...
