DragonForce ransomware expands operations with Scattered Spider alliance in 2025

In 2025, the DragonForce ransomware group has significantly expanded its operational capabilities through a strategic collaboration with Scattered Spider, an English-speaking threat actor known for advanced social engineering and initial access techniques. According to Acronis research detailed in a BleepingComputer report, this partnership enables coordinated, multi-stage intrusions into critical environments. The attack chain typically begins with targeted phishing campaigns leveraging Scattered Spider's expertise in social engineering, followed by exploitation of unpatched vulnerabilities such as ProxyShell and Log4j. Notably, the threat actors employ living-off-the-land techniques, abusing legitimate tools like PowerShell and PsExec for lateral movement, thereby evading traditional detection mechanisms. The final payload involves data encryption and double extortion tactics. This collaboration underscores a concerning trend in ransomware operations: the specialization and modularization of attack components. For cybersecurity professionals, this development necessitates reinforced patch management protocols, enhanced employee training against sophisticated phishing attempts, and improved monitoring for abuse of legitimate administrative tools. The lack of specified geographic or sector targeting in the report suggests a broad threat landscape, though the focus on "major infrastructure" may indicate heightened risk for critical sectors. Organizations should prioritize defense-in-depth strategies and incident response preparedness for multi-stage attacks.