Signals from the Underground: DragonForce’s Ransomware Footprint in 2025

DragonForce has quickly emerged as one of the more disruptive additions to the ransomware landscape, operating with a self-managed infrastructure and targeting victims across multiple regions. Initially surfacing in late 2023, the group has since escalated its operations, moving from symbolic attacks to data extortion campaigns involving terabytes of stolen material.

What distinguishes DragonForce from more traditional ransomware actors is not just their infrastructure setup, but their visible push for operational independence. With incidents recorded across North America, Europe, Asia, and the Middle East, the group has positioned itself as a global threat operating largely outside of the usual affiliate frameworks.

This report traces DragonForce’s evolution through leaked samples, negotiation artifacts, dark web forums, and infrastructure signals. It also highlights the group’s latest campaigns, offering a closer look at how this actor is reshaping the ransomware threat surface across both public and private sectors.

Recent Victim Activity and Geographic Spread

DragonForce’s targeting in late July 2025 reveals a continued emphasis on small to mid-sized enterprises, strategically selected across multiple regions. The most recent breach disclosures, observed on their dark web leak site and confirmed through indexed file server activity, include companies spanning Italy, Germany, the United States, and Lebanon. Each case reinforces the group’s flexible operational model and growing confidence in executing parallel extortion campaigns.

The latest known compromise occurred on 31 July 2025, targeting Framon S.p.A., an Italian industrial design and manufacturing company (domain: framon.it). As with prior incidents, the group published a preview of allegedly exfiltrated data on its leak portal, threatening full disclosure unless ransom demands were met.

Just days earlier, on 28 July, the group listed Software Design Consulting Group, a Lebanon-based IT and project management firm. This marks one of the first verified DragonForce incidents involving a Lebanese entity and expands the group’s documented activity further into the Middle East.

On the same day, DragonForce also claimed responsibility for targeting a Missouri based law firm: Vontava Nantz & Johnson LLC. The group reportedly have access to around 100 GB of data including customer files, which they have already released.

In the U.S., Emerson Chiropractic, a private healthcare business, appeared on DragonForce’s leak site on 25 July. The targeting of healthcare-related entities, especially small clinics, reflects a growing trend of exploiting sectors with low tolerance for downtime and minimal cybersecurity maturity.

That same day, the group also claimed responsibility for breaching md-labels-gmbh.com, a German labeling and printing firm. The diversity of industries affected, from healthcare to industrial labeling, signals opportunistic targeting rather than vertical specialization.

While these campaigns differ in industry and geography, they all follow DragonForce’s signature disclosure pattern: limited file previews, structured data trees, and deadlines enforced through public countdown timers. These incidents further validate DragonForce’s commitment to scaling its ransomware operations while maintaining full control over leak and negotiation infrastructure.

Technical Infrastructure and Ransomware Operations

While DragonForce’s branding evokes a typical ransomware collective, their operational stack blends elements of both hacktivist signaling and profit-driven extortion. Unlike more sophisticated ransomware-as-a-service (RaaS) crews, DragonForce favors direct infrastructure control, opting to self-manage their ransomware leak sites, negotiation portals, and data dumps, all hosted on the Tor network.

StealthMole traced DragonForce’s activity across multiple .onion domains, including:

• Primary: http://z********************************************************d.onion
• Chat Portal: http://3******************************************************d.onion
• Victim-Specific Leak Page: Unique, per-target URLs hosted on a separate .onion subpath

In each observed case, DragonForce deploys a custom file indexing system, displaying directory-style listings for stolen data often segregated by internal IP structure and departmental folders. This presentation is notably less automated than traditional RaaS groups like LockBit, and more tailored to instill psychological pressure on victims.

A unique aspect of DragonForce’s extortion pipeline is their use of qTox, a decentralized, encrypted communication client that allows peer-to-peer messaging without centralized logging. Unlike traditional ransomware panels, this approach leaves minimal traces and grants the group full control over negotiations, a method that aligns with their preference for autonomy and direct infrastructure management.

Group Profile and Evolution

DragonForce’s rise reflects the blueprint of a modern ransomware operation shaped by visibility, infrastructure control, and targeted psychological pressure. While the group does not match the operational scale of more established ransomware syndicates, it has built a name through persistent branding, direct extortion efforts, and a consistent presence across underground forums.

The group first began surfacing around August 2023, initially promoting its activities through self-hosted leak portals and gradually extending its footprint into underground communities. By November 2023, a user operating under the alias "dragonforce" appeared on ***************s, posting under that handle consistently across at least three iterations of the forum: **********s.**, ***********s.**, and ********s.**. These accounts laid the groundwork for DragonForce’s external identity, pairing forum presence with operational announcements, including introductions, promotional banners, and RaaS-aligned messaging.

• https://***********s.**/User-dragonforce
• https://***********s.**/User-dragonforce
• https://***********s.**/User-dragonforce

This branding continued to evolve with the group’s entry into ****, a ********n-speaking dark web forum that hosts cybercriminal vendor recruitment, malware services, and RaaS announcements. In a now-archived thread, the DragonForce user introduced a ransomware service called "R********y", inviting collaboration and explicitly promoting it as “supported by DragonForce.” The post featured contact channels, PGP verification blocks, a Tox ID, and links to infrastructure, confirming that DragonForce was not only seeking partners, but also attempting to position itself within the broader RaaS landscape.

• Tox ID: 1C************************************************************************0
• PGP: -----BEGIN PGP SIGNATURE----- i****************4 -----END PGP SIGNATURE-----
• PGP Fingerprint: FF********************8

Unlike larger ransomware syndicates, however, DragonForce’s ecosystem does not appear to rely on a sprawling affiliate network. While they do signal openness to collaboration, their operations suggest a preference for direct management and internal control. In every observed campaign, the group has retained full control over infrastructure, leak staging, and negotiations - avoiding third-party portals, panels, or shared dashboards typical of RaaS operators like LockBit.

The group’s identity management strategy is notably consistent. The "dragonforce" handle is used across all forums, and has also been associated with multiple .onion addresses, including data leak sites, chat portals, and file staging servers. This alignment across infrastructure and forums creates a persistent signature, even as their content and platforms shift. At the same time, the group demonstrates a strong grasp of operational security: deploying qTox for encrypted peer-to-peer negotiation and isolating ransom infrastructure per target.

While DragonForce’s language and outreach suggest confidence and expansionist ambition, the actual scope of operations remains measured. Based on incident tracking through StealthMole and dark web visibility signals, their campaigns appear deliberate, victim-specific, and carefully staged rather than opportunistic. Messaging across forums reflects a tone of controlled aggression, emphasizing victim punishment and public exposure more than technical sophistication.

By early 2025, DragonForce had solidified its presence across darkweb ecosystems, achieving visibility through forum activity, Telegram circulation, and direct attacks. Yet its strength lies not in volume, but in narrative control, infrastructure consistency, and targeted psychological impact, traits that position it as a lean but high-impact ransomware threat.

Visibility and Ecosystem Signals

Despite operating without the public-facing flare of high-profile ransomware brands like LockBit or AlphV, DragonForce has steadily built an underground presence across both dark web and encrypted communication ecosystems. Their infrastructure, primarily Tor-based, is not only tightly controlled but also deliberately decentralized across multiple .onion domains, each serving a distinct operational purpose.

StealthMole uncovered 16 unique file server URLs tied to DragonForce’s extortion campaigns. These URLs were not indexed on public ransomware aggregators, nor were they broadly circulated across Telegram or dark web forums. Instead, their usage was limited to private negotiations and ransomware communication channels, possibly to limit forensic visibility. These domains were often live only for the duration of the extortion period.

• http://dragon*************************************************d.onion/
• http://zs*****************************************************d.onion/
• http://6d*****************************************************d.onion/
• http://eo*****************************************************d.onion/
• http://ew*****************************************************d.onion/
• http://3r*****************************************************d.onion/
• http://jz*****************************************************d.onion/
• http://2y*****************************************************d.onion/
• http://bp*****************************************************d.onion/
• http://db*****************************************************d.onion/
• http://xt*****************************************************d.onion/
• http://4w*****************************************************d.onion/
• http://73****************************************************id.onion/
• http://nw****************************************************yd.onion/
• http://d*****************************************************ad.onion/T
• http://fs*****************************************************d.onion/

While DragonForce did not rely heavily on mainstream ransomware mirrors or Telegram bots, StealthMole’s dark web and Telegram intelligence tools detected indirect promotion of DragonForce by associated threat ecosystems. For example:

• Pro-ransomware channels like A**********s E****t, R****F******s, and even L******-supporting groups shared DragonForce posts and URLs.
• These shares largely focused on primary infrastructure URLs, such as:

• http://z3***************************************************id.onion
• http://3p****************************************************d.onion
• http://nwt***************************************************d.onion

The distribution was usually limited to “announcement-style” posts, showing alignment or soft endorsements rather than direct collaboration. This pattern aligns with DragonForce’s broader operational behavior: centralized, private, and highly compartmentalized.

Internal Tensions or External Leak?

On 21 March 2025, a user named n******10 posted a curious thread titled “What’s happening with DragonForce?” on BreachForums, highlighting unusual developments around the threat actor. The user referenced new files and logs that had suddenly surfaced, allegedly uploaded by B*******k aka E*******o. These exposed materials were not part of any known DragonForce publication and appeared to contain chat logs, password hashes, and environment files, indicating a possible breach of DragonForce’s own systems or a leak from within.

Screenshots attached to the thread included images from a panel still carrying DragonForce’s branding, including the slogan “work without paranoia”. Key among the exposures were a full /etc/passwd file and an environment dump (labeled “.env (Oh-no...)”), pointing to back-end server data.

Even more damaging was the disclosure of raw negotiation chats between DragonForce and a presumed *******n victim. The chat included sentences like:

“I make 30 million I*****n *****n per month, your request is 9 billion *****n…”

and

“All I have is 90 million *****n which is like 800 or 900 dollars... I am nobody.”

This segment aligns with the earlier qTox-based ransom negotiation style used by the group, reinforcing that the leaked material was authentic and internal.

Another BreachForums user, mercio0, later replied to the post stating plainly:

“Dragonforce hacked its competitors.”

The leak site in question, http://datal****************************id.onion/, at first glance resembled a typical data leak repository. However, once processed through StealthMole’s darkweb tracking tool, several embedded indicators confirmed the identity of the operator. These included email addresses, a qTox ID, a Session ID, and links to Telegram channels, all tied to Bk’s known infrastructure and aliases. This attribution firmly positions the leak within the operational ecosystem of **B*k/E******o, either as a retaliatory act, competitive sabotage, or deliberate exposure.

Whether the breach was an internal misstep, a leak by a disgruntled affiliate, or part of a larger feud between ransomware syndicates remains unclear. However, the technical breadcrumbs found by StealthMole confirm that Bl*******k/E********o was directly involved in hosting and distributing the leaked materials, marking one of the rare instances of intra-cartel exposure targeting DragonForce.

Malware (Ransomware) Artifacts and Campaign Attribution

Among the most critical discoveries in this investigation were a set of 36 ransomware file hashes uncovered through StealthMole’s dark web monitoring module. These malware indicators were indexed directly from DragonForce’s infrastructure specifically from the Tor domain: http://z3*******************************id.onion. Some of the hashes are mentioned below:

• 4**************************************************************6
• b**************************************************************5
• dc*************************************************************4
• a**************************************************************b
• c9*************************************************************9
• f5*************************************************************2
• d6*************************************************************7
• f8*************************************************************1
• a9*************************************************************c
• 8**************************************************************4
• 5c*************************************************************9
• 82*************************************************************9
• 312***********************************************************83

What makes this discovery particularly significant is the complete lack of external visibility - these ransomware artifacts were not indexed in any public threat intelligence feeds, malware sandboxes, or OSINT platforms at the time of discovery. This reinforces a core strength of StealthMole: the ability to identify malware infrastructure that has not yet been exposed to broader intelligence ecosystems.

These ransomware file hashes are valuable not only for attribution but also for forward-looking defense. The presence of these hashes offers a unique early warning capability for security teams seeking to defend against emerging DragonForce operations. In traditional models, indicators of compromise (IOCs) only surface after payloads have already infected systems or reached public scanning tools. In contrast, the intelligence surfaced by StealthMole gives clients access to preemptive detection: arming defenders with the ability to monitor for these payloads before infection vectors are deployed. For national infrastructure, high-value commercial sectors, or sensitive targets, this kind of foresight is mission-critical.

Additionally, the placement of these ransomware hashes within the same Tor infrastructure used to stage leaks and host negotiation content demonstrates DragonForce’s pattern of consolidating operational elements in single, purpose-built environments.

The long-term value of these discoveries lies in their potential to power correlation models. Should any of these hashes later surface in corporate breach investigations, endpoint alerts, or sandbox detonations, they can serve as high-confidence links back to DragonForce infrastructure, anchoring attribution and supporting broader incident response strategies. By integrating these findings into threat detection systems, organizations can gain a strategic edge in identifying DragonForce-related activities in their earliest, most vulnerable stages.

Ultimately, this section highlights the core capability StealthMole brings to the table: not just tracking actors once they’ve struck, but detecting and contextualizing their tooling before they move. In a threat landscape where timing defines impact, this level of visibility offers both strategic and operational advantage.

Conclusion

DragonForce represents a new wave of ransomware groups that blend independent infrastructure with limited-scale affiliate engagement. While not structured like legacy RaaS syndicates, the group has explicitly invited partnerships and joint operations, most notably through its **** posts promoting “R*******y” and other collaborative ventures. This hybrid approach allows DragonForce to maintain control over its leak sites, file servers, and communication portals, while selectively extending operational reach through trusted actors.

Their campaigns in 2025 show clear signs of strategic expansion, with confirmed victims across North America, Europe, and the Middle East. Their targeting is opportunistic and geographically diverse, spanning manufacturing, healthcare, IT consulting, and construction sectors. At the same time, DragonForce’s infrastructure strategy: custom domains, victim-specific data portals, encrypted negotiation channels, suggests a preference for compartmentalization and operational secrecy.

StealthMole’s ability to correlate disparate elements across this ecosystem has proven key to monitoring DragonForce’s trajectory. From uncovering ransomware hashes indexed only on Tor-based infrastructure, to tracking Telegram amplification patterns and parsing actor discussions across **** and ***********s, StealthMole surfaces signals that often evade conventional monitoring tools.

As ransomware actors evolve to evade public attribution and avoid traceable infrastructure reuse, defenders will increasingly rely on capabilities like StealthMole’s, fusing underground visibility with actor profiling, malware telemetry, and infrastructure graphing. DragonForce may still be categorized as a mid-tier group, but their agility, discretion, and expanding reach suggest a threat actor that is both intentional and ascendant.

Editorial Note

This investigation into the DragonForce ransomware group illustrates how modern extortion operations increasingly blur the lines between structured ransomware models and ad hoc cybercriminal collectives. While this actor maintains self-hosted infrastructure and presents with an organized leak system, its flexible use of affiliates, encrypted negotiation channels, and fragmented victim portals complicate attribution and detection efforts.

The visibility achieved throughout this case was made possible through StealthMole. These tools allowed for deep pivots across hard-to-index assets, capturing negotiation artifacts, identifying unlisted malware hashes, and correlating file server infrastructure spread across the Tor network.

As with all dark web investigations, cyber attribution remains probabilistic, and DragonForce’s strategic compartmentalization serves as a reminder that infrastructure reuse is no longer a given. Campaigns like these reinforce the need for integrated underground intelligence that spans forums, malware ecosystems, communication platforms, and affiliate recruitment networks, turning fragmented signals into a coherent threat profile.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com