The Storm Behind the Dragon: Unmasking the Infrastructure Powering Dragon Ransom

In mid-2024, a new ransomware operator known as Dragon Ransom (or DragonRaaS) quietly surfaced across dark web and Telegram channels. Initially dismissed as yet another actor in a crowded ransomware ecosystem, the group quickly distinguished itself through its aggressive propaganda, multi-platform presence, and most notably, its ideological positioning: openly aligning itself with pro-Palestinian messaging and anti-Israel rhetoric.

While the group brands itself independently under Dr********* | V****** **, deeper investigation revealed critical infrastructure overlaps and affiliations that place Dragon Ransom within a broader cybercrime ecosystem. Their adoption of Telegram-based recruitment, cross-promotion through known actors, and coordinated defacement postings points to a strategic effort to blend hacktivist motivations with ransomware monetization.

At the center of these connections lies *******s, a well-known ransomware collective active in ideological operations and previously documented in high-profile targeting of Israeli and U.S. assets. Our investigation, driven primarily through StealthMole’s platform, reveals that DragonRaaS may not be a wholly new threat actor but rather an extension, subdivision, or campaign entity operating under or in collaboration with *******s infrastructure.

This report deconstructs the rise of Dragon Ransom: how it operates, who amplifies it, and why it matters in the evolving ransomware threat landscape.

Incident Trigger & Initial Investigation

First discovered during parallel research into DragonForce, Dragon Ransom initially piqued interest due to its naming overlap - suggesting either a splinter group, a copycat, or a misattribution. What began as a superficial inquiry quickly evolved into a deeper investigation as StealthMole's intelligence tools began surfacing a cluster of indicators that set DragonRaaS apart from typical low-tier ransomware attempts.

The first signs of operational activity by Dragon Ransom appeared in mid-2024, when the group launched its official Telegram channel. Early posts were limited to vague branding and a promise of a forthcoming platform.

But by October 2024, the group shifted gears, launching its first confirmed ransomware campaign. On October 25, Dragon Ransom claimed responsibility for an attack on Al-Saeeda University, a private institution in Yemen. Just a day later, it formally introduced its “Dragon Ransomware RaaS Platform,” suggesting a move beyond opportunistic targeting to an organized ransomware-as-a-service (RaaS) operation.

This back-to-back sequence - first a real-world attack, then the promotion of a service-based ransomware platform - marked a pivotal shift in operational strategy. It indicated that Dragon Ransom was not merely engaging in isolated targeting, but positioning itself as a Ransomware-as-a-Service (RaaS) operator, complete with brand identity, affiliate targeting mechanisms, and monetization infrastructure.

At this stage of investigation, the group still appeared to be a new entrant. However, as StealthMole’s multi-source threat intelligence engine continued to cross-index Dragon Ransom’s posts, behavior, and binaries, a more complex story began to emerge: one that would eventually expose deep affiliations with a more established ransomware group.

Actor Identity and Evolution

Dragon Ransom, also known by its internal branding Dr*********S V******* **, surfaced in mid-2024 as a newcomer in the ransomware landscape. At a glance, it resembled many low-profile, Telegram-based ransomware projects with minimal footprint and unclear structure. However, Dragon Ransom quickly separated itself from typical throwaway campaigns through its ideological tone, strategic messaging, and active positioning as a Ransomware-as-a-Service (RaaS) provider.

Timeline of Emergence

• July 2024: Dragon Ransom launches its official Telegram channel. Early posts feature basic graphics and promotional teasers for a future ransomware platform.
• October 25, 2024: The group announces its first confirmed attack: targeting Al-Saeeda University, a private institution in Yemen.
• October 26, 2024: Dragon Ransom unveils its Dragon Ransomware RaaS Platform, moving from brand-building into operational deployment.

These back-to-back posts mark Dragon Ransom’s pivot into full RaaS operations, featuring planned affiliate recruitment, victim targeting, and campaign visibility.

Ideological Positioning

Unlike most financially motivated ransomware groups, Dragon Ransom weaves strong geopolitical messaging into its materials. The group has openly:

• Shared pro-Palestinian visuals (e.g., a dragon bearing the Palestinian flag)
• Circulated anti-Israel propaganda posters

• Issued statements targeting Israel, the U.S., France, Germany, and the UK

This combination of ransomware with hacktivist-style ideology makes Dragon Ransom part of a growing subset of actors blending political signaling with cybercrime monetization.

Branding, Reach, and Platform Use

Dragon Ransom brands itself as “Dr***** ***** | V******* **”, echoing language typical of scalable affiliate-based services. Visual and promotional content emphasizes:

• Fast, “ultra-light” encryption payloads (~50KB)
• Customizable builders for affiliate use
• Full affiliate autonomy and anonymity
• Subscription milestones (e.g., ransomware builder release at 1K Telegram subscribers)

These tactics mirror the promotional strategies used by more prominent RaaS brands, aiming to draw attention while minimizing risk through decentralization.

Notably, Dragon Ransom operates almost entirely through Telegram. It does not maintain any known dedicated dark web or surface web leak site, payment portal, or negotiation page. Instead, its communication, file dumps, announcements, and brand positioning are all centralized within Telegram channels and bots, a model that allows rapid scaling while avoiding the exposure and complexity of traditional infrastructure.

This dependence on Telegram and m****** platforms suggests the group prioritizes visibility, ideological signaling, and lightweight operations over complex backend management.

Telegram Ecosystem Presence

Telegram was not only Dragon Ransom’s central platform for operations, it was also the primary entry point through which their broader infrastructure and affiliations were uncovered. The group’s now-deactivated channel, @**********m, served as the origin for nearly all early intelligence related to the actor’s activity, tools, and affiliations.

• https://t.me/*********m

Upon examining the channel through StealthMole’s Telegram Tracker, we identified the group’s username as “Dr******* ***S | V******* **”, a clear signal that they were positioning themselves as a Ransomware-as-a-Service provider. One of the first high-confidence pivots came from this profile metadata: a TOX ID posted alongside their branding:

• B0**********************************************************************1

Running the TOX ID source through StealthMole’s dark web tracker revealed its association with the ********s Chat Telegram group, an important discovery suggesting that Dragon Ransom and *******s were part of the same extended ecosystem. Within that chat, we identified a forwarded message from Dragon Ransom dated 26 October 2024, confirming that *******s was actively promoting Dragon’s ransomware platform since the time of its launch.

• https://t.me/*********t

The same chat also contained a pro-Palestinian messages, reinforcing *******s’ ideological posture.

From there, additional aliases, DragonRaaS and DragonTeam, were used as pivot terms across StealthMole’s darkweb tracking engine. These yielded critical insights into the group’s external infrastructure. A notable match came from a ransom note titled p****_*****e@.***, which, while attributed to a Dragon Ransom incident, directed victims to contact @*******sBot for negotiations.

Similarly, another important discovery occurred when querying “Dragon Ransom” directly. One of the surfaced ransom panel screenshots featured a Bitcoin address linked to the group.

• 1D***********************A

Running the channel link through StealthMole further surfaced mentions of Dragon Team in public defacement logs. These included:

• A defacement of organia herbal posted to M*******: https://m********.org/m******/5814755/

• A listing for doctorpsy.com.ua on Z*******: http://z*********s.org/defaced/2025/01/29/doctorpsy.com.ua/doctorpsy.com.ua

Both entries carried the “Dragon Team” tag and reflected the same ideological alignment seen in their Telegram content, confirming the group’s use of Telegram to broadcast breaches and coordinate defacement campaigns.

Affiliations and Cross-Promotion with Other Actors

While Dragon Ransom publicly positioned itself as a standalone Ransomware-as-a-Service (RaaS) entity, its early amplification and sustained presence across ideologically aligned and criminal Telegram channels reveal that it is deeply embedded within a broader network of cyber actors, many of whom share overlapping operational goals, propaganda styles, and possibly even personnel.

The first layer of affiliation was observed between Dragon Ransom and *******s, which is explored in greater detail in the next section. However, beyond *******s, Dragon’s emergence was echoed across multiple other threat actor spaces. Using StealthMole’s Telegram intelligence module, we tracked how Dragon Ransom’s campaign announcements were reposted or forwarded in several Telegram channels associated with ideologically motivated cybercrime and hacktivist collectives. These included:

• E*** ******o: https://t.me/e**********o
• M******* S********s: https://t.me/Chat_M*******_S******s
• B***** S*****: https://t.me/b******me
• L******t: https://t.me/+B******************l
• R********s: https://t.me/R***********t

Each of these channels carried either the original DragonRansom ransom images, reposts of the campaign against Al-Saeeda University, or direct mentions of DragonRaaS. Notably, B***** S***** and B********m channels appear to maintain a loose pattern of thematic alignment with Dragon Ransom, with both using anti-Israel or pro-Palestinian rhetoric in tandem. While there is no direct technical attribution linking B****** campaigns with Dragon’s codebase or tooling, the simultaneous promotion and thematic convergence suggest either collaboration or cross-actor sympathy.

The L****** Telegram channel, typically associated with broader ransomware discourse rather than direct endorsements, also shared Dragon-related propaganda during its active window. This included the Dragon Ransom builder screenshot, the ransomware note interface, and builder deployment images. Such postings often serve as indirect validations within the ransomware community and can be read as informal peer recognition or soft endorsement.

Interestingly, Dragon Ransom’s outreach was not restricted to ideological actors alone. Its presence in channels like R*********s suggests a hybrid promotional strategy: combining political alignment with practical criminal marketing. This aligns with the dual nature of Dragon Ransom’s public persona: hacktivist messaging combined with classic ransomware monetization.

By mapping out these affiliations, it becomes clear that Dragon Ransom’s rise was not organic or isolated. Instead, it was accelerated through an existing cybercriminal ecosystem, a network of actors and communities that amplified its visibility, validated its tactics, and possibly enabled its tooling and infrastructure. These alliances not only lent Dragon Ransom credibility among threat actors but also helped it rapidly gain operational reach in its early months.

Infrastructure Convergence: *******s and Dragon

Rather than operating in a vacuum, Dragon Ransom appears as a downstream product of the more established ransomware actor *******s, inheriting not just branding influence but also critical backend infrastructure, payment systems, and communication channels. This section maps how Dragon Ransom's operational footprint converges with *******s, revealing a dependent affiliate relationship nested within a broader cybercrime hierarchy.

The first signals of this convergence appeared during early profiling of Dragon Ransom’s now-deactivated Telegram channel @*************m. Through StealthMole’s Telegram Tracker, the group was found using the alias Dr********* | V****** **, a name that openly declared its Ransomware-as-a-Service positioning. Most notably, the channel shared a TOX ID:

• B0*********************************************************************1

Running this TOX ID through StealthMole’s darkweb tracker revealed that it was associated with *******s Chat, a highly active Telegram group operated by the *******s ransomware team. Inside that chat, a forwarded message from Dragon Ransom dated October 26, 2024, was located, demonstrating that *******s was actively promoting Dragon’s ransomware service around its initial launch.

Another compelling artifact was a *******s-branded video found in the same chat. The video featured Arabic-language text and visual instructions for ransom payment. Critically, it displayed the exact Bitcoin address later found in Dragon Ransom’s ransom note:

• 1DzX3w6Fb8yd78UMnWxfjnPQ14jWpEtVSA

The reuse of this wallet by two supposedly separate groups strongly indicated shared financial infrastructure, either due to direct affiliation or operational control by the same actor group.

As the investigation deepened, further overlap surfaced through infrastructure pivots. Running Dragon Ransom aliases such as “DragonTeam” via StealthMole’s dark web monitoring surfaced a ransom note instructing victims to negotiate via @*******sBot. This bot, already associated with *******s’ previous campaigns (notably S*****y), became a central link between the two operations.

When interrogated, @*******sBot routed users to both @*************m and an affiliated toolkit channel called T** *******g, where phishing kits like Zphisher were being promoted for supposed educational purposes. This suggested a shared administrative backend or coordinated access model, rather than mere branding similarities.

From @*******sBot, a trail led to several other *******s-linked Telegram entities and email addresses:

• https://t.me/*******sS
• https://t.me/*******s_*******R
• *******ss@onionmail.org
• *******s@protonmail.com
• *******s.supp@onionmail.org

These accounts shared a second TOX ID:

• C2*******************************************************6

This TOX ID appeared across additional *******s materials and in the Telegram channel @f*********s, a hub representing the broader cybercrime syndicate responsible for managing actors like *******s, G******c, and T********c. Within this structure, *******s is the acknowledged operator of ransomware operations, having inherited infrastructure, buyers, and malware source code from G******c in mid-2024.

• https://t.me/f*********s

From this point onward, the actor ecosystem expanded significantly. *******s' official infrastructure, as declared in the f*** ******s posts, included:

• https://t.me/S***********e
• https://t.me/S*************r
• https://t.me/S******4
• Blog site: http://pd***********************************************qd.onion
• Onion: http://6s******************************************************qd.onion

While Dragon Ransom is never explicitly mentioned in f*** ******s communications, the overlap in *******s' tools, bots, wallets, and outreach channels strongly indicates that Dragon was operating under the *******s umbrella, a lower-tier affiliate or campaign brand maintained within *******s’ sphere of influence.

Among other affiliations, G******c and T******c (both known members of the f*** ******s alliance) were repeatedly referenced as collaborators. Evidence of operational overlap also emerged through shared credentials and compromised asset postings. One mention connected a leaked email (*******s@protonmail.com) to a C***********t document, suggesting deeper links or credential reuse across unrelated ecosystems, such as child exploitation moderation groups.

Language and cultural indicators also support the link. Dragon Ransom’s materials frequently used broken English with Russian linguistic elements, while *******s consistently communicated in Arabic across both textual and visual content. The Arabic-language video, the ideological content shared in chats, and the nature of Telegram promotions suggest a shared hacktivist-aligned messaging strategy, with *******s likely playing the senior role in coordination.

In summary, Dragon Ransom’s presence is not just similar to *******s, it is fundamentally intertwined with it. From a shared Telegram bot and payment wallet, to toolkit channels and ransom note templates, every technical artifact points to a convergence of operations. Dragon Ransom is best understood not as a standalone threat actor, but as a subdivision, campaign, or brand extension of *******s, leveraging the same ecosystem built and maintained under*******s’ operational control, within the larger f*** ******s cybercrime framework.

Conclusion

Dragon Ransom entered the threat landscape not with groundbreaking tactics or unprecedented sophistication but with a strategically layered ecosystem and inherited infrastructure that gave it immediate operational credibility. Marketed as “Dr********* | V****** **,” the group’s Telegram-centric launch, ideological messaging, and defacement-heavy campaigns suggested a ransomware outfit eager to appear autonomous. However, sustained investigation using StealthMole’s threat intelligence platform revealed a different picture.

From shared bots and Bitcoin wallets, to identical ransom communication paths, and overlapping darkweb and Telegram assets, Dragon Ransom is best interpreted as a franchise or subdivision under the *******s brand, which itself operates as part of a wider ransomware cartel orchestrated by the so-called f*** ******s.

Unlike traditional RaaS collectives that operate on dedicated leak sites and market-facing blogs, Dragon Ransom’s lack of a permanent surface or darknet presence, and its complete reliance on Telegram for outreach, points toward a low-overhead, campaign-based deployment model. This makes it faster to spin up, easier to abandon, and more flexible for deniability and narrative manipulation. Its geopolitical posturing, especially in support of pro-Palestinian messaging, further blurs the lines between hacktivism and cybercrime, complicating attribution and response frameworks for defenders and analysts alike.

As ransomware operations increasingly shift toward modular, affiliate-driven structures, Dragon Ransom represents a critical evolution of this model: lean, ideological, and deeply integrated into existing threat actor hierarchies. While it may fade as a brand over time, its operational template will likely persist, rebranded and redeployed under future campaigns from the same actor clusters.

Editorial Note

As with all dark web investigations, cyber attribution remains probabilistic. Dragon Ransom’s blurred identity, operating under its own branding while quietly leaning on *******s infrastructure, highlights how ransomware groups increasingly use deception-by-design: shared wallets, recycled bots, and Telegram-based campaigns that dissolve as quickly as they emerge. Attribution in such cases relies not on a single point of evidence, but on patterns of reuse and infrastructural convergence across disconnected platforms.

This investigation was made possible by StealthMole’s ability to index and correlate data across active and defunct sources including deactivated Telegram channels, historical TOX IDs, and long-dormant ransom notes. These capabilities allowed fragmented data to be linked across space and time, surfacing the deeper affiliations behind what initially appeared to be a standalone actor. In the shifting ransomware landscape, such visibility is critical for exposing campaign-level deception and understanding how threat actor ecosystems evolve.

To access the unmasked report or full details, please reach out to us separately.
Contact us: support@stealthmole.com