DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists

    Monday, May 12, 2025 In: Threat Research Print

    Date: 05/12/2025

    Severity: Critical

    Summary

    The DragonForce ransomware group has shifted its focus from politically motivated attacks to high-profile financial extortion campaigns, recently targeting UK retailers like Harrods, Marks and Spencer, and the Co-Op, causing significant disruptions to critical operations like payment systems and inventory management. This marks an evolution from their previous high-profile targets, including government institutions, commercial enterprises, and organizations in countries like Israel, India, and Saudi Arabia. Known for heavily targeting law firms and medical practices, DragonForce’s tactics have become more financially driven, with a broad range of victims spanning multiple sectors and geographies. This post explores the group's evolution, attack methods, and the rising threat they pose to both retail and critical infrastructure.

    The term "Scattered Spider" refers to the hacking group suspected of carrying out the April 2025 cyberattack on Marks & Spencer (M&S). The group is associated with deploying DragonForce ransomware, which encrypted M&S systems and led to major disruptions across both online and physical store operations.

    Indicators of Compromise (IOC) List

    URL/Domains

    3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

    Ijbw7iiyodqzpg6ooewbgn6mv2pinoer3k5pzdecoejsw5nyoe73zvad.onion

    Kfgjwkho24xiwckcf53x7qyruobbkhx4eqn2c6oe4hprbn23rcp6qcqd.onion

    Rnc6scfbqslz5aqxfg5hrjel5qomxsclltc6jvhahi6qwt7op5qc7iad.onion

    rrrbay3nf4c2wxmhprc6eotjlpqkeowfuobodic4x4nzqtosx3ebirid.onion

    rrrbayguhgtgxrdg5myxkdc2cxei25u6brknfqkl3a35nse7f2arblyd.onion

    rrrbaygxp3f2qtgvfqk6ffhdrm24ucxvbr6mhxsga4faefqyd77w7tqd.onion

    Z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

    Hash

    343220b0e37841dc002407860057eb10dbeea94d

    ae2967d021890a6a2a8c403a569b9e6d56e03abd

    c98e394a3e33c616d251d426fc986229ede57b0f

    f710573c1d18355ecdf3131aa69a6dfe8e674758

    011894f40bab6963133d46a1976fa587a4b66378

    0b22b6e5269ec241b82450a7e65009685a3010fb

    196c08fbab4119d75afb209a05999ce269ffe3cf

    1f5ae3b51b2dbf9419f4b7d51725a49023abc81c

    229e073dbcbb72bdfee2c244e5d066ad949d2582

    29baab2551064fa30fb18955ccc8f332bd68ddd4

    577b110a8bfa6526b21bb728e14bd6494dc67f71

    7db52047c72529d27a39f2e1a9ffb8f1f0ddc774

    81185dd73f2e042a947a1bf77f429de08778b6e9

    a4bdd6cef0ed43a4d08f373edc8e146bb15ca0f9

    b3e0785dbe60369634ac6a6b5d241849c1f929de

    b571e60a6d2d9ab78da1c14327c0d26f34117daa

    bcfac98117d9a52a3196a7bd041b49d5ff0cfb8c

    e164bbaf848fa5d46fa42f62402a1c55330ef562

    e1c0482b43fe57c93535119d085596cd2d90560a

    eada05f4bfd4876c57c24cd4b41f7a40ea97274c

    fc75a3800d8c2fa49b27b632dc9d7fb611b65201

    Social Media

    1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20

    258C79F73CCC1E56863030CD02C2C7C4347F80CAD43DD6A5B219A618FD17853C7BB1029DAE31

    Scattered Spider IOCs

    7-eleven-hr.com

    activecampiagn.net

    acwa-apple.com

    bbtplus.com

    bell-hr.com

    bestbuy-cdn.com

    birdsso.com

    citrix-okta.com

    commonspiritcorp-okta.com

    consensys-okta.com

    corp-hubspot.com

    cts-comcast.com

    doordash-support.com

    duelbits-cdn.com

    freshworks-hr.com  

    gemini-sso.com

    gucci-cdn.com

    itbit-okta.com

    iyft.net

    klaviyo-hr.com      

    login.freshworks-hr.com

    login.hr-intercom.com

    morningstar-okta.com

    mytsl.net

    okta-ziffdavis.com

    pfchangs-support.com

    prntsrc.net

    pure-okta.com

    signin-nydig.com

    simpletexting-cdn.com

    squarespacehr.com

    sytemstern.net

    sso-instacart.com

    sts-vodafone.com

    twitter-okta.com

    xn--gryscale-ox0d.com

    x-sso.com

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1

    domainname like "Ijbw7iiyodqzpg6ooewbgn6mv2pinoer3k5pzdecoejsw5nyoe73zvad.onion" or siteurl like "Ijbw7iiyodqzpg6ooewbgn6mv2pinoer3k5pzdecoejsw5nyoe73zvad.onion" or url like "Ijbw7iiyodqzpg6ooewbgn6mv2pinoer3k5pzdecoejsw5nyoe73zvad.onion" or domainname like "Z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion" or siteurl like "Z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion" or url like "Z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion" or domainname like "Kfgjwkho24xiwckcf53x7qyruobbkhx4eqn2c6oe4hprbn23rcp6qcqd.onion" or siteurl like "Kfgjwkho24xiwckcf53x7qyruobbkhx4eqn2c6oe4hprbn23rcp6qcqd.onion" or url like "Kfgjwkho24xiwckcf53x7qyruobbkhx4eqn2c6oe4hprbn23rcp6qcqd.onion" or domainname like "3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion" or siteurl like "3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion" or url like "3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion" or domainname like "Rnc6scfbqslz5aqxfg5hrjel5qomxsclltc6jvhahi6qwt7op5qc7iad.onion" or siteurl like "Rnc6scfbqslz5aqxfg5hrjel5qomxsclltc6jvhahi6qwt7op5qc7iad.onion" or url like "Rnc6scfbqslz5aqxfg5hrjel5qomxsclltc6jvhahi6qwt7op5qc7iad.onion" or domainname like "rrrbay3nf4c2wxmhprc6eotjlpqkeowfuobodic4x4nzqtosx3ebirid.onion" or siteurl like "rrrbay3nf4c2wxmhprc6eotjlpqkeowfuobodic4x4nzqtosx3ebirid.onion" or url like "rrrbay3nf4c2wxmhprc6eotjlpqkeowfuobodic4x4nzqtosx3ebirid.onion" or domainname like "rrrbayguhgtgxrdg5myxkdc2cxei25u6brknfqkl3a35nse7f2arblyd.onion" or siteurl like "rrrbayguhgtgxrdg5myxkdc2cxei25u6brknfqkl3a35nse7f2arblyd.onion" or url like "rrrbayguhgtgxrdg5myxkdc2cxei25u6brknfqkl3a35nse7f2arblyd.onion" or domainname like "rrrbaygxp3f2qtgvfqk6ffhdrm24ucxvbr6mhxsga4faefqyd77w7tqd.onion" or siteurl like "rrrbaygxp3f2qtgvfqk6ffhdrm24ucxvbr6mhxsga4faefqyd77w7tqd.onion" or url like "rrrbaygxp3f2qtgvfqk6ffhdrm24ucxvbr6mhxsga4faefqyd77w7tqd.onion"

    Detection Query 2

    hash IN ("81185dd73f2e042a947a1bf77f429de08778b6e9","7db52047c72529d27a39f2e1a9ffb8f1f0ddc774","b3e0785dbe60369634ac6a6b5d241849c1f929de","f710573c1d18355ecdf3131aa69a6dfe8e674758","eada05f4bfd4876c57c24cd4b41f7a40ea97274c","1f5ae3b51b2dbf9419f4b7d51725a49023abc81c","c98e394a3e33c616d251d426fc986229ede57b0f","229e073dbcbb72bdfee2c244e5d066ad949d2582","fc75a3800d8c2fa49b27b632dc9d7fb611b65201","e1c0482b43fe57c93535119d085596cd2d90560a","196c08fbab4119d75afb209a05999ce269ffe3cf","a4bdd6cef0ed43a4d08f373edc8e146bb15ca0f9","343220b0e37841dc002407860057eb10dbeea94d","e164bbaf848fa5d46fa42f62402a1c55330ef562","0b22b6e5269ec241b82450a7e65009685a3010fb","ae2967d021890a6a2a8c403a569b9e6d56e03abd","011894f40bab6963133d46a1976fa587a4b66378","29baab2551064fa30fb18955ccc8f332bd68ddd4","577b110a8bfa6526b21bb728e14bd6494dc67f71","b571e60a6d2d9ab78da1c14327c0d26f34117daa","bcfac98117d9a52a3196a7bd041b49d5ff0cfb8c")

    Detection Query 3

    domainname like "7-eleven-hr.com" or siteurl like "7-eleven-hr.com" or url like "7-eleven-hr.com" or domainname like "activecampiagn.net" or siteurl like "activecampiagn.net" or url like "activecampiagn.net" or domainname like "acwa-apple.com" or siteurl like "acwa-apple.com" or url like "acwa-apple.com" or domainname like "bbtplus.com" or siteurl like "bbtplus.com" or url like "bbtplus.com" or domainname like "bell-hr.com" or siteurl like "bell-hr.com" or url like "bell-hr.com" or domainname like "bestbuy-cdn.com" or siteurl like "bestbuy-cdn.com" or url like "bestbuy-cdn.com" or domainname like "birdsso.com" or siteurl like "birdsso.com" or url like "birdsso.com" or domainname like "citrix-okta.com" or siteurl like "citrix-okta.com" or url like "citrix-okta.com" or domainname like "commonspiritcorp-okta.com" or siteurl like "commonspiritcorp-okta.com" or url like "commonspiritcorp-okta.com" or domainname like "consensys-okta.com" or siteurl like "consensys-okta.com" or url like "consensys-okta.com" or domainname like "corp-hubspot.com" or siteurl like "corp-hubspot.com" or url like "corp-hubspot.com" or domainname like "cts-comcast.com" or siteurl like "cts-comcast.com" or url like "cts-comcast.com" or domainname like "doordash-support.com" or siteurl like "doordash-support.com" or url like "doordash-support.com" or domainname like "duelbits-cdn.com" or siteurl like "duelbits-cdn.com" or url like "duelbits-cdn.com" or domainname like "freshworks-hr.com" or siteurl like "freshworks-hr.com" or url like "freshworks-hr.com" or domainname like "gemini-sso.com" or url like "gemini-sso.com" or siteurl like "gemini-sso.com" or domainname like "gucci-cdn.com" or url like "gucci-cdn.com" or siteurl like "gucci-cdn.com" or domainname like "itbit-okta.com" or url like "itbit-okta.com" or siteurl like "itbit-okta.com" or domainname like "iyft.net" or url like "iyft.net" or siteurl like "iyft.net" or domainname like "klaviyo-hr.com" or url like "klaviyo-hr.com" or siteurl like "klaviyo-hr.com" or domainname like "login.freshworks-hr.com" or url like "login.freshworks-hr.com" or siteurl like "login.freshworks-hr.com" or domainname like "login.hr-intercom.com" or url like "login.hr-intercom.com" or siteurl like "login.hr-intercom.com" or domainname like "morningstar-okta.com" or url like "morningstar-okta.com" or siteurl like "morningstar-okta.com" or domainname like "mytsl.net" or url like "mytsl.net" or siteurl like "mytsl.net" or domainname like "okta-ziffdavis.com" or url like "okta-ziffdavis.com" or siteurl like "okta-ziffdavis.com" or domainname like "pfchangs-support.com" or url like "pfchangs-support.com" or siteurl like "pfchangs-support.com" or domainname like "prntsrc.net" or url like "prntsrc.net" or siteurl like "prntsrc.net" or domainname like "pure-okta.com" or url like "pure-okta.com" or siteurl like "pure-okta.com" or domainname like "signin-nydig.com" or url like "signin-nydig.com" or siteurl like "signin-nydig.com" or domainname like "simpletexting-cdn.com" or url like "simpletexting-cdn.com" or siteurl like "simpletexting-cdn.com" or domainname like "squarespacehr.com" or url like "squarespacehr.com" or siteurl like "squarespacehr.com" or domainname like "sytemstern.net" or url like "sytemstern.net" or siteurl like "sytemstern.net" or domainname like "sso-instacart.com" or url like "sso-instacart.com" or siteurl like "sso-instacart.com" or domainname like "sts-vodafone.com" or url like "sts-vodafone.com" or siteurl like "sts-vodafone.com" or domainname like "twitter-okta.com" or url like "twitter-okta.com" or siteurl like "twitter-okta.com" or domainname like "xn--gryscale-ox0d.com" or url like "xn--gryscale-ox0d.com" or siteurl like "xn--gryscale-ox0d.com" or domainname like "x-sso.com" or url like "x-sso.com" or siteurl like "x-sso.com"

    Reference:  

    https://www.sentinelone.com/blog/dragonforce-ransomware-gang-from-hacktivists-to-high-street-extortionists/     

    https://www.silentpush.com/blog/scattered-spider-2025/#h-scattered-spider-sample-indicators-of-future-attack-tm-iofa-list


    Tags

    MalwareRansomwareDragonForceHarrodsMarks and SpencerRetailUnited KingdomIsraelIndiaScattered SpiderSaudi Arabia

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.