3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
DragonForce Malaysia

DragonForce Malaysia

ID: 31622d85a3826aa600d14a779a5f9cb796975
Hacktivist Group DDoS Crew Defacement Crew Hacktivism
Threat types: Defacement, DDoS, Intrusion, Double-extortion ransomware, Pro-Palestine
Malaysia
Updated: 2026-03-04
Created: 2025-10-21
Progress: 66% Completeness: 64% Freshness: 70%
Operation zone:
Aliases Limited alias preview
DFM DFRC Dr********** Dr*********
Dr*************** Dr*********** Dr***************** Ha***********************
My************
Showing 2 of 9 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

DragonForce Malaysia is a Malaysia-based hacktivist collective associated in OSINT with politically motivated cyber operations, notably DDoS/DoS disruption, website defacement, and public claim/amplification campaigns coordinated via social platforms such as Telegram. Reported operations include campaigns targeting Indian organizations and pro-Palestinian/anti-Israel aligned narratives.


Technique Technique name Tactics Evidence
T1595 Active Scanning TA0043
  • 2024-xx-xx — INFERENCE (confidence: medium): Hacktivist operations described as selecting targets and validating exposed web services implies external discovery/scanning behaviors. · ref
T1585 Establish Accounts TA0042
  • 2022-06-15 — Use of Telegram/social platforms to list targets, coordinate campaigns, and publish claims implies use of online personas/accounts for operations and influence. · ref
  • 2022-06-30 — Reporting references Telegram channels and multi-platform presence used for announcements and dissemination. · ref
T1587 Develop Capabilities TA0042
  • 2024-xx-xx — INFERENCE (confidence: medium): Reliance on publicly available/shared DDoS tooling is described as common for the group’s campaigns. · ref
T1498 Network Denial of Service TA0040
  • 2024-xx-xx — DDoS is described as a frequently observed tactic used for disruption in campaigns attributed to DragonForce Malaysia. · ref
  • 2024-xx-xx — Actor reference explicitly notes DDoS/denial-of-service activity as part of observed campaigns. · ref
T1491.002 External Defacement TA0040
  • 2022-06-15 — Operation #OpsPatuk reporting states large-scale website compromise/defacement activity and ongoing listing of targets and compromised sites. · ref
  • 2024-xx-xx — Actor reference describes defacement attacks as part of observed campaigns. · ref
T1566 Phishing TA0001
  • 2022-06-30 — INFERENCE (confidence: low): Campaign coordination and calls-to-action across social platforms can include social-engineering style lures for participation; not a confirmed primary access vector. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-21T03:42:31+00:00
DragonForce Malaysia — High-Signal Hacktivists → Ransomware Pivot (2021–2025)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

DragonForce Malaysia began as a pro-Palestinian hacktivist collective famous for OpsBedil (2021–2022) and OpsPetir (2023) campaigns against Israel and, at times, India. In 2025, multiple vendors assess an evolution into a ransomware-extortion operation (a distinct “DragonForce” ransomware brand/cartel), claiming major retail victims in the UK and elsewhere. The hacktivist → cybercrime pivot is still being consolidated across research, but the weight of 2025 reporting supports a financially-motivated RaaS trajectory layered on top of earlier defacement/DDoS/dox activity. Confidence: high for the hacktivist history; medium-high for the ransomware expansion (multi-vendor).


  • Origins. Publicly documented as pro-Palestinian and Malaysia-based; active social channels and a forum in early years.
  • Pivot. By 2025, multiple vendors (SentinelOne, Group-IB, others) profile “DragonForce” as a ransomware group with global victims, suggesting organizational/brand evolution.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/27
Address Verification SOCMINT
x.com/dra*********** Restricted Not integrated
twitter.com/dra********** Restricted Not integrated
Address Verification SOCMINT
www.facebook.com/myd********** Restricted Not integrated
www.facebook.com/dra************* Restricted Not integrated
www.facebook.com/dra**************** Restricted Not integrated
www.facebook.com/dra******************************** Restricted Not integrated
Address Verification SOCMINT
t.me/dra********** Restricted Not integrated
t.me/dra*************** Restricted Not integrated
t.me/iRa****** Restricted Not integrated
t.me/dra********** Restricted Not integrated
t.me/Dra***************** Restricted Not integrated
t.me/ami********* Restricted Not integrated
t.me/dra*************** Restricted Not integrated
t.me/Dra************** Restricted Not integrated
t.me/Dra********************** Restricted Not integrated
t.me/DRA*************** Restricted Not integrated
t.me/dra******************* Restricted Not integrated
Address Verification SOCMINT
www.youtube.com/cha********************************* Restricted Not integrated
www.youtube.com/cha***************************** Restricted Not integrated
www.instagram.com/dra********** Restricted Not integrated
www.instagram.com/dra************ Restricted Not integrated
www.tiktok.com/@dr***************** Restricted Not integrated
www.tiktok.com/@dr******************** Restricted Not integrated
www.tiktok.com/@dr*********** Restricted Not integrated
Address Verification SOCMINT
dr*******************@gmail.com Restricted Not integrated
Address Verification SOCMINT
www.dragonforce.io Restricted Not integrated
radio.dragonforce.io Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.