slippery_scorpius
Slippery Scorpius is Unit 42’s name for the group behind DragonForce ransomware. The group was first detected in November 2023 and became more prominent in 2024. DragonForce is described as a ransomware-as-a-service program, and Slippery Scorpius is associated with double-extortion activity. Reported behavior includes extorting victims directly through phone calls and leaking recorded audio of those conversations. Unit 42 also reported that since at least April 2025, Muddled Libra (also known as Scattered Spider and UNC3944) partnered with the DragonForce RaaS program operated by Slippery Scorpius to extort victims, including at least one case involving more than 100 GB of data exfiltration followed by DragonForce ransomware deployment. No additional aliases for Slippery Scorpius beyond DragonForce are directly provided in the content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Operator of the DragonForce ransomware-as-a-service program used in partnership with Muddled Libra to extort victims.
Slippery Scorpius operates DragonForce ransomware, using double extortion and direct phone-based extortion, and leaks audio of victim conversations. Its ransomware is based on LockBit 3.0 code.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.