DragonForce Hides C2 in Teams, INC Ransomware Hits 830+ Victims

Summary

Today's threat landscape is defined by two converging trends: ransomware groups are aggressively targeting operational technology and critical infrastructure, while data leak actors continue to exploit weak access controls across government and financial sectors. The most significant signal is the evolution of ransomware-as-a-service operations, with INC Ransomware emerging as a dominant force and DragonForce demonstrating novel C2 concealment techniques. Defenders should prioritize monitoring for unauthorized cloud agent usage and orphaned AI tool privileges, as these vectors are increasingly exploited for initial access.

Today's developments

Ransomware and operational disruption -- The Gentlemen ransomware group allegedly claimed an attack on Mackay Sugar, an Australian sugar producer, forcing the shutdown of harvesting and milling operations. This incident underscores the growing threat to agricultural and food processing critical infrastructure, where downtime directly impacts supply chains. Separately, industry researchers from Acronis charted the rise of INC Ransomware, which claims to have compromised over 830 victims since August 2023. The group reportedly expanded its operations following the disruption of LockBit and BlackCat, absorbing displaced affiliates. In a related development, DragonForce ransomware actors were observed using a custom Go-based remote access trojan called Backdoor.Turn to hide command-and-control traffic inside Microsoft Teams relay infrastructure. Broadcom-owned Symantec and Carbon Black identified this technique deployed against a major U.S. services firm, marking a sophisticated evolution in C2 evasion.

Government and financial sector breaches -- Multiple alleged data breaches targeted government administration entities across several countries. Mosad Leaks claims to have compromised Indian and Russian government systems, as well as U.S. government documents. A separate actor, Ruhi, alleges a breach of Pakistan Military Intelligence. In Latin America, GordonFreeman claims to have breached the Central Bank of Venezuela, while vLeakz alleges access to Argentina's Ministerio de Salud. The concentration of government targets suggests coordinated or copycat activity, likely exploiting unpatched vulnerabilities or weak authentication.

Real estate and e-commerce exposure -- French real estate firms were disproportionately targeted, with ChimeraZ allegedly breaching Ma Gestion Locative and TakTikimmo, and 0xSec claiming access to TIMER IMMOBILIER. In the e-commerce sector, Sensitive2025 alleges breaches of Argentine platform Toque and U.S. dating site BestFriendMatch. These incidents highlight the persistent vulnerability of customer-facing platforms that handle personal data but may lack robust security postures.

Industry context on supply chain and AI risks -- Security reporters at CyberScoop detailed how the threat group TeamPCP exploited the software industry's speed-over-security culture to compromise open-source projects. This aligns with Microsoft's disclosure of a Windows clipper malware campaign using USB LNK worms and Tor-based C2, demonstrating that even low-sophistication attacks remain effective. On the defensive side, Accenture's $4.18 billion acquisition of Dragos, runZero, and NetRise signals a major industry push toward industrial cybersecurity, reflecting growing concern over OT threats.

Threat landscape signals

Actor concentration and targeting patterns -- Dark Storm Team dominated activity with 18 events, followed by The Gentlemen (11) and EXADOS (8). The United States remained the most targeted country (26 events), with France (17), Thailand (15), and Saudi Arabia (11) also heavily affected. The prominence of French real estate and Thai government targets suggests regional specialization among threat actors. The high volume of DDoS attacks (29 events) alongside ransomware (43) indicates a diversified threat landscape where both disruptive and extortion-driven operations are active.

Data leak market dynamics -- The 39 critical data exposure events reveal a thriving underground economy for stolen databases. Multiple actors are selling consumer email databases (German, U.S. bank leads), credit card data (Brazil, multi-country), and sector-specific datasets (insurance policies, police directories). The repeated appearance of actor OriginalCrazyOldFart across multiple leak claims suggests an individual or small group specializing in aggregating and reselling data from various sources. Defenders should verify whether any of their organization's data appears in these leaks, particularly for entities operating in France, India, and Thailand.