Inside DragonForce, the Group Tied to M&S, Co-op and Harrods Hacks

Read more about the M&S, Co-op and Harrods hacks:

Anonymous individuals identifying as members of the DragonForce cybercriminal syndicate have claimed to be behind the cyber-attacks on Marks & Spencer, Co-op and Harrods.

They contacted several media outlets, including the BBC and Bloomberg, with evidence that they had infiltrated the three UK retailers’ IT networks and stolen large amounts of customer and employee data.

Notably, they told BBC News that the Co-op breach was more extensive than Co-op had previously admitted.

Reporting by BleepingComputer on the Marks & Spencer hack suggested that while the intruders used the DragonForce encryptor on M&S’s VMware ESXi hosts to encrypt virtual machines, they are likely associated with Scattered Spider.

This conclusion reportedly comes from an investigation requested by M&S and conducted by CrowdStrike, Microsoft and Fenix24.

DragonForce, Scattered Spider or Both

DragonForce originated as a pro-Palestine hacktivist group allegedly based in Malaysia (under the name DragonForce Malaysia) that has been active since August 2023.

It is understood to be behind a number of notable cyber-attacks in the Asia-Pacific region and the US, including on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery and Yakult Australia.

The group is believed to have shifted goals and expanded to ransomware operations. Previous DragonForce operators seemed to be non-native English speakers.

Scattered Spider, tracked as Octo Tempest by Microsoft and UNC3944 by Google Cloud, is a financially motivated threat group active since May 2022.

Primarily native English speakers, likely including some teenagers based in the UK or the US, Scattered Spider members are affiliated with the cybercriminal collective ‘The Com.’

The group is associated with the 2023 hacks of Caesars Entertainment and MGM Resorts International, two of the largest casino chains in the world.

Read more: Five Charged in Scattered Spider Case

In a May 2 report, SentinelOne researchers refused to officially attribute the three UK retailer hacks to Scattered Spider, despite the attackers “exhibit[ing] behavioral and operational characteristics consistent with those previously associated with The Com.” 

Equally cautious, researchers at Google Threat Intelligence Group (GTIG) said in a May 6 report they have not independently confirmed the involvement of Scattered Spider or the DragonForce ransomware group in those hacks.

However, they noted that DragonForce’s operators recently claimed takeover of RansomHub, a ransomware-as-a-service (RaaS) syndicate’s set of tools that Scattered Spider members used in the past, after it ceased operations in March.

The GTIG researchers also said the hacks against M&S, Co-op and Harrods were consistent with Scattered Spider targeting, which typically consists in waves of attacking prominent brands in specific sectors to get media attention before shifting to other targets.

The group operated this way against Caesars and MGM in mid-2023, financial services in late 2023 and food services in May 2024

Finally, GTIG noted that retail organizations have increasingly appeared on tracked data-leak sites used by extortion actors, mirroring the activities of affiliates such as Scattered Spider.

These elements suggest that one or several members of the Scattered Spider group worked as DragonForce affiliates in the UK retail hack wave.

Understanding DragonForce

DragonForce Operators’ Modus Operandi

According to SentinelOne, DragonForce operators typically combine phishing emails carrying malicious links or attachments and probing for unpatched vulnerabilities in internet-facing services.

Over the past years, they’ve exploited critical flaws such as Log4Shell in Apache Log4j2 and multiple bugs in Ivanti Connect Secure and have repeatedly tried credential stuffing against Remote Desktop Protocol (RDP) and virtual private network (VPN) portals using leaked username-password pairs.

This combination of social engineering, software exploits and brute-force credential attacks helps them slip past perimeter defenses and gain that all-important initial foothold.

Once inside, the operators would waste little time dropping commercial red-team frameworks like Cobalt Strike to establish command-and-control (C2) channels and load further implants.

They often install the SystemBC backdoor, which creates a SOCKS5 proxy tunnel back to their servers, ensuring access even if defenders patch the first weakness. With these tools in place, DragonForce operators can quietly maintain a persistent presence, pivoting as needed even if part of their infrastructure is disrupted.

With a foothold secured, DragonForce operators turn to living-off-the-land (LOTL) tactics to map and move through the network.

Built-in Windows utilities such as PowerShell and WMI are used alongside scanners like Advanced IP Scanner and PingCastle. They run credential-dumping tools like Mimikatz to harvest high-privilege account details, then leverage remote management features or third-party admin tools to hop from server to server, elevating their reach and permissions with each step.

Before hitting targets with ransomware, the attackers siphon off valuable files using both legitimate cloud services like MEGA and simple protocols such as WebDAV or SFTP to upload stolen data to attacker-controlled endpoints.

This stolen data often serves as extra leverage during ransom negotiations, with the threat of public leaks adding pressure on victims to pay quickly.

When it’s time to deploy the final payloads, DragonForce affiliates log into a bespoke affiliate panel that lets them build custom ransomware binaries for Windows, Linux, ESXi hosts or NAS devices.

They choose encryption methods (traditional AES/RSA or faster ChaCha8 variants), specify file-search paths and naming conventions, set execution delays or thread counts and even define exclusion lists to avoid critical system files.

Once configured, the ransomware is unleashed across the environment, encrypting data, dropping ransom notes and registering persistence mechanisms to survive reboots.

DragonForce’s Ambition: Creating a Ransomware Cartel

Since its expansion into ransomware, DragonForce affiliates have shown a high level of flexibility and versatility, constantly adapting to new developments in the cybercrime landscape.

In April 2024, threat actors associated with DragonForce were observed using a ransomware binary based on a leaked builder of LockBit Black ransomware, also known as LockBit 3.0.

In March 2025, the group also claimed to have taken over RasomHub’s RaaS tooling after the group ceased its operations.

Earlier in 2025, DragonForce took its model further by launching “RansomBay,” a white-label service that lets affiliates rebrand the ransomware under a different name.

Affiliates pay a 20% cut of any ransom haul and keep the rest, while DragonForce handles the underlying infrastructure, technical support and leak-site hosting.

This shift toward a ransomware cartel model underscores their ambition to build a scalable ecosystem, where enterprising attackers can mount seemingly unique campaigns while leaning on DragonForce’s code, servers and brand-boosting media exposure.

This type of new ransomware business model is a development that some cyber threat intelligence experts had anticipated. In a recent Infosecurity webinar, Tammy Harper, Senior Threat Intelligence Researcher at Flare, said she expects to see more ‘ransomware cartels’ emerge in the near future.

“With all the uncertainty around ransomware, especially due to law enforcement operations shutting down established groups, there is a need for a group providing this cartel model, which could also be called ‘ransomware-as-a-service-as-a-service,’” Harper explained.

Watch our webinar, “The Evolving Ransomware Landscape: A 2025 Survival Guide,” here