Threat Actor Profile
Critical
Cybercriminal
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (5)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': None,
'firstseen': '2022-10-20T21:51:27.146973+00:00',
'group': 'dragonforce',
'has_negotiations': True,
'has_ransomnote': True,
'lastseen': '2026-04-27T16:20:14.224783+00:00',
'locations': [{'available': True,
'fqdn': 'z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion',
'slug': 'http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog',
'title': 'DragonForce | Blog',
'type': 'DLS'},
{'available': True,
'fqdn': 'dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion',
'slug': 'http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion',
'title': 'DragonForce | Leaks',
'type': 'Files'},
{'available': True,
'fqdn': '3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion',
'slug': 'http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion',
'title': 'DragonForce | Recovery',
'type': 'DLS'}],
'negotiation_count': 17,
'ransomnotes_count': 2,
'tiaras_metadata': {'has_negotiations': True,
'has_ransomnote': True,
'locations': [{'available': True,
'fqdn': 'z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion',
'slug': 'http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog',
'title': 'DragonForce | Blog',
'type': 'DLS'},
{'available': True,
'fqdn': 'dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion',
'slug': 'http://dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion',
'title': 'DragonForce | Leaks',
'type': 'Files'},
{'available': True,
'fqdn': '3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion',
'slug': 'http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion',
'title': 'DragonForce | Recovery',
'type': 'DLS'}],
'negotiation_count': 17,
'ransomnotes_count': 2,
'ransomware_live_group': 'dragonforce',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': [],
'DiscoveryEnum': ['Advanced IP Scanner',
'PingCastle',
'SoftPerfect NetScan'],
'Exfiltration': [],
'LOLBAS': [],
'Networking': [],
'Offsec': [],
'RMM-Tools': []},
'url': 'https://www.ransomware.live/group/dragonforce',
'victims': 505,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': [],
'DiscoveryEnum': ['Advanced IP Scanner',
'PingCastle',
'SoftPerfect NetScan'],
'Exfiltration': [],
'LOLBAS': [],
'Networking': [],
'Offsec': [],
'RMM-Tools': []},
'ttps': [{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'Executes a malicious file on '
"the victim's system.",
'technique_id': 'T1204.002',
'technique_name': 'User Execution'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Disables Windows Defender (if '
'it is running).',
'technique_id': 'T1562.001',
'technique_name': 'Impair Defenses: Disable or '
'Modify Tools'},
{'technique_details': 'The ransomware self-deletes '
'after execution.',
'technique_id': 'T1070.004',
'technique_name': 'Indicator Removal: File '
'Deletion'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'The ransomware enumerates '
'directories to encrypt files.',
'technique_id': 'T1083',
'technique_name': 'File and Directory Discovery'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'The ransomware uses data '
'encryption to extort the '
'victim.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'}]}],
'url': 'https://www.ransomware.live/group/dragonforce',
'victims': 505,
'vulnerabilities': []}