DragonForce Exploits SimpleHelp Flaws in Targeted MSP Ransomware Attack

A newly uncovered ransomware campaign has exposed the persistent threat of supply chain attacks targeting Managed Service Providers (MSPs). In this case, the threat actor known as DragonForce exploited a set of vulnerabilities in SimpleHelp, a popular Remote Monitoring and Management (RMM) tool, to breach an MSP and deploy ransomware across multiple client environments.

According to researchers, the attackers used the MSP’s own infrastructure to infiltrate downstream networks, exfiltrate sensitive data, and carry out a double-extortion scheme. This attack highlights not only the technical prowess of the adversary but also the cascading impact of a single security lapse in a widely trusted vendor ecosystem.

How DragonForce Exploited SimpleHelp to Launch a Supply Chain Attack via an MSP

With access to the MSP’s SimpleHelp instance, DragonForce orchestrated a calculated supply chain attack that impacted multiple organizations. The threat actors deployed a modified SimpleHelp installer file via the MSP’s legitimate RMM infrastructure.

The installer, once silently delivered to client machines, enabled further malicious activity including credential harvesting and reconnaissance.

According to research, the attackers used the MSP’s SimpleHelp instance to gather intelligence on the environments of multiple downstream customers. This reconnaissance included:

• Device names and configurations
• User accounts
• Network connections

This information helped the attackers map out the affected networks and likely aided in identifying high-value targets within each environment.

DragonForce’s attack scheme targeting SimpleHelp vulnerabilities

The attack’s initial detection occurred when Sophos MDR flagged suspicious behavior associated with the installer, suggesting that it had been delivered under the guise of legitimate administrative work. This level of stealth indicates a deep understanding of MSP operations and internal trust relationships.

By leveraging the MSP’s centralized access to its customers, DragonForce maximized the attack’s reach. Instead of targeting individual companies in isolation, the threat actors infiltrated the MSP to scale their operations and deliver payloads across a wide array of client networks simultaneously.

Which SimpleHelp Vulnerabilities Were Exploited?

The attack hinged on three severe vulnerabilities in SimpleHelp disclosed in January 2025. Widely used by MSPs for customer support and remote access, SimpleHelp became a prime target for DragonForce, who exploited the following:

• CVE-2024-57726 (CVSS 9.9): A privilege escalation flaw that grants elevated permissions once initial access is gained.

Vulnerability card of CVE-2024-57726 (SOCRadar’s Vulnerability Intelligence)

• CVE-2024-57727 (CVSS 7.5): A set of path traversal flaws that allow attackers to navigate directories and access restricted files.
• CVE-2024-57728 (CVSS 7.2): An arbitrary file upload vulnerability enabling attackers to introduce malicious payloads into the environment.

Although SimpleHelp released patches within 48 hours of disclosure, the publication of CVE details and delayed patch adoption created a window of opportunity for attackers. Organizations running outdated versions remained vulnerable, and DragonForce took full advantage by installing ransomware and reconnaissance tools via the exposed RMM software.

SOCRadar’s Vulnerability Intelligence: Latest CVEs & attacker trends.

SOCRadar’s Vulnerability Intelligence – available under the Cyber Threat Intelligence module of the SOCRadar XTI platform – offers an easy way to track emerging CVEs, understand attacker trends, and identify active exploits. The module provides timely insights and contextual threat analysis to support patch management and proactive defense planning.

DragonForce’s Evolution: From RaaS to Cartel

DragonForce entered the ransomware scene in mid 2023 as yet another player in the Ransomware-as-a-Service (RaaS) market. However, its trajectory has been anything but typical.

Initially operating under a centralized model, the group rebranded in March 2025, announcing its transformation into a “cartel” – a decentralized network that allows affiliates to use DragonForce’s ransomware infrastructure while applying their own branding. This model, similar to franchising in the criminal world, gave cybercriminals more autonomy and scalability.

The DragonForce ransomware operation logo

DragonForce has elevated its profile in the cybercriminal ecosystem by pushing a bold rebrand across underground forums.

To reinforce its dominance, the group conducted a string of strategic attacks, defacing leak sites operated by competitors like BlackLock and Mamona, and claiming the allegiance of former affiliates from the now-defunct RansomHub. They have also taken credit for ransomware incidents affecting high-profile UK retailers like Marks & Spencer.

If you want to know more about this ransomware operation, its tactics, and operations, visit SOCRadar’s “Dark Web Profile: DragonForce Ransomware” article.

Details about DragonForce, SOCRadar’s Ransomware Intelligence

To further strengthen your ransomware defenses, explore SOCRadar’s Ransomware Intelligence, which provides continuous monitoring of ransomware groups, real-time TTP updates, and profiles on recent campaigns. It integrates MITRE ATT&CK visualizations and actionable IOCs, helping your security team understand adversary behaviors and proactively adjust defenses.

Implications for Cybersecurity Teams

The DragonForce campaign reflects a significant evolution in both tactics and organizational structure among ransomware groups. Their use of an MSP as a pivot point in a supply chain attack exemplifies how adversaries are seeking maximum disruption with minimal effort. The event also emphasizes the increasingly decentralized and service-driven nature of ransomware operations.

Cybersecurity teams must reevaluate their defenses against these broader threats. Relying solely on endpoint detection or perimeter security is no longer sufficient. The attack shows that even well-intentioned third-party vendors can become conduits for large-scale breaches if patch management and security hygiene are neglected.

Moreover, DragonForce’s operational flexibility and branding aggressiveness suggest a competitive and chaotic underground economy where reputation and speed are just as valuable as technical acumen. As new affiliates join and old groups rebrand, organizations need threat intelligence that adapts as quickly as the threat landscape.

How Can You Defend Against DragonForce and Other Ransomware Threats?

To guard against similar threats, organizations should adopt a layered defense strategy combining technical controls with procedural safeguards:

• Patch promptly: Apply updates to SimpleHelp and similar third-party tools as soon as they become available.
• Monitor endpoints: Use EDR/XDR platforms capable of detecting infostealers, malicious scripts, and lateral movement.
• Strengthen identity verification: Implement strict verification for all IT and help desk interactions.
• Utilize password managers and browser isolation: Limit exposure to credential theft via saved logins.
• Conduct regular tabletop exercises: Simulate insider threats and social engineering scenarios to test readiness.
• Monitor for stolen credentials: Use identity protection tools that scan Dark Web sources for exposed data.

SOCRadar’s Dark Web Monitoring strengthens your strategy by providing instant alerts on leaked credentials, breached data, and active threats in Deep and Dark Web forums. By detecting exposures early, you can take swift action before attackers strike.

SOCRadar’s Dark Web Monitoring: Track Black Markets, exposed PII, Botnet Data, IM Content, and more

Curious about your organization’s exposure? Get your Free Dark Web Report from SOCRadar Labs and take the first step in tightening your defenses.

Indicators of Compromise (IOCs)

Researchers have published a list of IOCs related to the DragonForce attack on SimpleHelp:

By incorporating these IOCs into your threat detection systems, organizations can enhance their ability to identify and respond to similar attacks in the future. The table is also available on GitHub.