A sophisticated Ransomware-as-a-Service (RaaS) operation known as ‘Dragon’ has emerged as the dominant force within the notorious “Five Families” of crimeware, implementing advanced initial access techniques and exploitation methods that have alarmed cybersecurity experts. The threat actors behind Dragon have demonstrated a high level of technical proficiency, utilizing living-off-the-land techniques combined with novel obfuscation methods to remain undetected within compromised environments for an average of 26 days before initiating encryption routines. Security researchers have observed Dragon operators leveraging a previously undocumented vulnerability in widely-used VPN appliances to establish persistent access to corporate networks. SentinelOne researchers noted that Dragon operatives are using a custom-built command and control (C2) framework utilizing DNS tunneling to evade traditional network security monitoring. “This represents a significant evolution in their operational security and reflects a level of sophistication previously only seen in nation-state actors,” explained the SentinelOne threat intelligence team in their analysis. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The Dragon RaaS operation has been linked to a series of high-profile attacks against critical infrastructure, financial institutions, and healthcare organizations over the past three months, with ransom demands averaging $3.4 million per incident. Initial access vectors include phishing emails containing malicious Excel documents with embedded macros that download the first-stage loader through a PowerShell command. Once initial access is established, Dragon deploys a PowerShell loader that retrieves a second-stage DLL injected directly into memory to avoid detection. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Dragon operators have introduced a new feature that specifically targets database servers by corrupting transaction logs before encryption, making recovery particularly challenging even with backups. The exploitation chain begins with a specially crafted HTTP request that triggers memory corruption in the authentication module, effectively bypassing security controls. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 20 Mar 2025 11:20:05 +0000