Key Findings DragonForce has transformed from a politically motivated cyber group into a financially driven ransomware operation. Originally associated with pro-Palestinian cyber activities, the group has broadened its focus beyond hacktivism to include ransomware, data leaks, and financial extortion in its strategy. Their current operations target Israeli entities as well as global organizations. The group employs a structured extortion model that utilizes a maintained Dark Web leak site. They publicly display victim data, ransom negotiations, and countdown timers, which creates a fear-driven incentive for the victims to pay. Their infrastructure includes Tor-based communication channels, encrypted messaging (using Tox), and automated ransom-tracking systems. DragonForce Ransomware is based on the LockBit builder from 2022, utilizing similar configurations and attack methods. The ransomware’s icon and wallpaper are embedded in the binary’s overlay, compressed with Zlib, and loaded dynamically during execution. This technique enables stealthy deployment and helps evade static detection, supporting the idea that DragonForce has repurposed the leaked tools from LockBit for its own operations. DragonForce employs double extortion tactics to exert maximum pressure on its victims. The ransom note is carefully structured, threatening both the encryption of data and public exposure, stating that stolen files will be leaked if the ransom is not paid. Additionally, the malware’s automated extortion framework enhances its effectiveness in high-profile attacks, positioning DragonForce as a significant ransomware threat in 2025. ‍ Evolution of Cyber Threat Groups In recent years, there has been a notable increase in cyberattacks around the globe. Organized threat groups, often motivated by political ideologies or financial gain, have intensified their activities, targeting critical infrastructure, government institutions, and private organizations. Most of these attacks follow a systematic and organized approach, which typically includes: Initial compromise – Gaining unauthorized access to the target network. Data exfiltration – Stealing sensitive information before encryption. Encryption of files – Locking access to critical data and systems. Extortion and ransom demands – Threatening to leak stolen data unless payment is made. Over time, threat actors have refined their attack methods, investing in advanced infrastructure to manage data leaks, ransom negotiations, and operational security. Many groups create dedicated dark web leak sites where they publish details about their victims, share samples of data breaches, and even disclose ransom negotiations, which further pressures organizations to meet their demands. In the ever-changing landscape of cybersecurity, DragonForce has become a prominent cyber threat group known for its well-organized attack and leak mechanisms. Unlike traditional ransomware groups that primarily seek financial gain, DragonForce employs a combination of ideological tactics and extortion strategies. A key weapon in their arsenal is the extensive public exposure they create on darknet platforms, targeting organizations effectively. The group’s coordinated approach to disrupting businesses through cyber warfare and financial extortion positions it as a significant player in the realm of modern cyber threats. ‍ Introduction - DragonForce DragonForce is a Malaysia-based cyberthreat group that has quickly gained notoriety in the cybercrime landscape dueto its high-profile cyberattacks, particularly targeting entities in Israel and other global organizations. The group primarily operates from ideological motives, aligning itself with pro-Palestinian causes and using cyber warfare as a means of activism and disruption. In addition to its cyber operations, DragonForce has been actively involved in propaganda and psychological warfare. DragonForce effectively uses social media, forums, and darknet communities to amplify its message and attract new members. DragonForce is not only focused on politically motivated cyberattacks. Over time, the group has expanded its operations to include financially driven cybercrime, particularly through ransomware and data extortion campaigns. They have been linked to attacks targeting businesses, where they demand ransom payments and threaten to leak stolen data on dark web forums. This shift illustrates how DragonForce has evolved from a hacktivist collective into an organized cybercriminal entity, combining ideological goals with financial incentives. ‍ DragonForce's Cyber Activities Against Israel In June 2021, after Israel announced its intention to establish diplomatic relations with South east Asian Muslimcountries, the group DragonForce launched a coordinated wave of cyber attacks against Israeli targets. This marked a significant escalation in the group's operations, showcasing its capabilities and willingness to engage in politically motivated cyber warfare (