THREAT ACTOR

Hunters International

5
THREAT LEVEL
EMERGENCE DATE
Oct 2023
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Hive ransomware (60% code overlap)

DEscription

Emerging in October 2023, Hunters International operated as a RaaS platform leveraging Hive ransomware's codebase following its law enforcement disruption. Building operations through double extortion tactics, the group combined data encryption with systematic exfiltration to maximize victim pressure. Their Rust-based ransomware enabled cross-platform deployment across Windows, Linux, and VMware ESXi environments throughout enterprise networks.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS) operation with affiliate-based distribution model

Sharing 60% code similarity with Hive version 6, Hunters International maintains independence through strategic code acquisition. Underground forums reference the group using Russian terminology for Hive, indicating deeper operational connections than publicly acknowledged. The affiliate program offers an 80% revenue share, positioning it among the most lucrative in the ransomware ecosystem.

Current Status: Operations ceased in July 2025 with transition to World Leaks. (Threat levels reflect the group's activity level.)

Threat Level:
5

Origins and Methodology

Hunters International's emergence following Hive's disruption demonstrated the resilient nature of modern ransomware operations, where technical assets and operational knowledge transferred between groups. Development in Rust provided performance optimization and detection evasion advantages while enabling seamless deployment across diverse infrastructure types.

Operational maturity showed through refined double extortion methodology, combining file encryption with systematic data categorization for maximum negotiation leverage. The technical architecture built upon lessons from predecessor operations, implementing evasion techniques and cross-platform capabilities from inception.

What is the Evolution of Hunters International Ransomware?
0.1
Formation

Strategic acquisition of Hive's technical assets enabled rapid operational establishment by October 2023, with immediate enterprise targeting capabilities demonstrated through initial campaigns against manufacturing and healthcare sectors.

0.2
EVOLUTION

Encryption capabilities progressed from ChaCha20-Poly1305 with RSA OAEP to AES implementations, eventually embedding decryption keys within encrypted files for streamlined recovery processes. Infrastructure expansion incorporated AWS EC2 instances for C2 operations, enhancing resilience while enabling rapid scaling. The November 2024 strategic shift and July 2025 closure marked transition to World Leaks, featuring four platforms: leak site, negotiation portal, insider recruitment, and affiliate management systems.

0.3
Lineage/Connections

Underground forums identified strong operational connections to Hive, with members referring to the group using Russian terminology directly translating to Hive. The 60% code overlap and timing following Hive's disruption indicated deeper relationships than publicly acknowledged. Infrastructure patterns and affiliate recruitment methods mirrored Hive's established practices.

Which Unique Techniques Does Hunters International Use?

Building upon Hive's proven methodologies, Hunters International demonstrated tactical refinement through enhanced evasion capabilities and expanded attack vectors.

TECHNIQUE

DETAILS

Infection Vectors

Primary access methods include targeted phishing campaigns (T1566), RDP exploitation, and supply chain compromises through IT service providers. Campaigns frequently impersonate legitimate software vendors while exploiting unpatched Citrix and Oracle WebLogic deployments. The custom SharpRhino RAT, developed in C#, masquerades as network administration tools through typosquatted domains.

Target Selection

Geographic concentration centers on North America, followed by substantial operations across Europe and Asia. Manufacturing leads victim distribution, where legacy systems and operational urgency create payment incentives. Healthcare facilities follow closely, with patient data sensitivity and regulatory compliance pressures enhancing extortion effectiveness.

Operational Complexity

Attack progression leverages valid account compromise (T1078) followed by extensive reconnaissance using native tools. Lateral movement employs PowerShell, PsExec, and Windows Management Instrumentation (WMI) to minimize detection. SharpRhino carries out advanced evasion including sandbox detection (T1497), debugger evasion (T1622), and security tool impairment (T1562).

Key Features & Technical Details

The ransomware's Rust-based architecture provided memory safety guarantees while enabling efficient cross-platform compilation across enterprise environments.

FEATURE

DETAILS

Encryption Method

Evolved from ChaCha20-Poly1305 to AES with RSA OAEP, embedding keys in encrypted files

File Extension

.LOCKED, .lock (configurable per campaign)

Ransom Note

Customizable templates with victim-specific payment portals

Double Extortion

Systematic data categorization precedes encryption for maximum leverage

Communication Channels

Tor-based negotiation portals with backup clearnet infrastructure

Deployment Speed

24-hour encryption timeline for average enterprise networks

Killswitch

No identified killswitch mechanism

Payment Method

Bitcoin and Monero with preference for privacy coins

Operational Model

80/20 revenue split favoring affiliates

Activities

Nearly 300 confirmed attacks established Hunters International among the most active ransomware operations globally before cessation in July 2025. The group announced its shutdown on July 4, 2025, claiming to offer free decryption keys to victims while suggesting a transition to data theft operations through the World Leaks platform.

Which Industries Are Most Vulnerable to Hunters International?

Manufacturing dominated the victim landscape due to operational technology vulnerabilities and production continuity pressures that drove rapid payments. Healthcare organizations followed closely, where patient safety concerns combined with HIPAA compliance obligations to amplify extortion effectiveness.

Financial services and professional services attracted heavy targeting for their valuable data repositories, transaction records, and privileged communications. Education institutions rounded out the primary victims, offering extensive personal data with minimal security defenses, creating ideal conditions for affiliate operations.

HAL Most Recent Attacks

Modus Operandi

The attack chain employed methodical progression through custom tools and living-off-the-land techniques, maximizing impact while evading detection.

Details

Gained entry through phishing emails (T1566), external remote services (T1133), and valid accounts (T1078). Targeted vulnerable Oracle WebLogic (T1190) and Citrix deployments. Initial Access Brokers provided pre-compromised credentials.

Details

Employed AdFind, BloodHound, and native commands for Active Directory enumeration. Network scanning identified high-value targets and backup systems. PowerShell scripts automated financial data discovery.

Details

Deployed SharpRhino custom RAT alongside AnyDesk, TeamViewer, and ScreenConnect. Established persistence through scheduled tasks and service creation.

Details

Used obfuscated files (T1027), software packing, and sandbox evasion (T1497). Disabled security tools (T1562) through BYOVD techniques. Cleared logs and employed timestomping.

Details

Harvested credentials using Mimikatz, LaZagne, and memory scrapers. Targeted LSASS process memory and browser stores. Exploited Kerberoasting for service accounts.

Details

Maintained C2 through AWS EC2 instances and compromised servers. Used DNS tunneling and HTTPS callbacks. Implemented domain fronting for resilience.

Details

Leveraged RDP (T1021.001), SMB (T1021.002), and WMI (T1047). PsExec and PowerShell remoting enabled rapid deployment.

Details

Staged data in cloud storage before encryption. Used Rclone, FileZilla, and custom tools. Implemented bandwidth throttling.

Details

Established autostart execution (T1547), scheduled tasks (T1053), and Windows services (T1543.003). Created backdoor accounts and modified Group Policy.

Details

Encrypted using ChaCha20-Poly1305 or AES (T1486). Stopped critical services (T1489). Modified boot configurations for ransom display.

Details

Deployed ransomware via GPO, PsExec, or manual execution. Targeted shares, databases, and backups. Used multi-threaded encryption.

Details

Posted data samples on Tor sites with countdown timers. Demands could range from $200,000 to millions. Implemented graduated release schedules.

Details

Deleted shadow copies (T1490), cleared logs (T1070.001), removed artifacts. Uninstalled security software and destroyed recovery points.

Indicators of Compromise (IOCs)

Network defenders should monitor for specific file hashes, infrastructure, and behavioral patterns that gave away Hunters International operations.

INDICATOR

DETAILS

File Hashes

c4d39db132b92514085fe269db90511484b7abe4620286f6b0a30aa475f64c3e (primary payload), 94b6cf6c30f525614672a94b8b9788b46cbe061f89ccbb994507406404e027af (encryption module), 24de8de24001bc358c58aa946a28c545aaf9657b66bd5383c2d5a341c5d3c355 (SharpRhino)

IP Addresses

193.106.175.48 (Russia-based C2), ec2-3-145-180-193.us-east-2.compute.amazonaws.com (AWS command server), ec2-3-145-172-86.us-east-2.compute.amazonaws.com (backup C2)

Domains/URLs

hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion (leak site)

File Paths

C:\Windows\Temp\[random].exe (payload drop), C:\ProgramData\Microsoft\Windows\[random] (persistence), %AppData%\Local\Temp\sharp.exe (SharpRhino)

File Extensions

.LOCKED, .lock

Exploits and Vulnerabilities

The group broke down enterprise defenses through both known vulnerabilities and zero-day exploits for initial access and persistence.

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

Citrix Bleed

CVE-2023-4966

9.4

Memory leak in Citrix ADC/Gateway enabling session hijacking

ManageEngine CVE

CVE-2022-47966

9.8

Authentication bypass in Zoho products allowing admin access

MOVEit Transfer RCE

CVE-2023-34362

9.8

SQL injection enabling remote code execution

Log4Shell

CVE-2021-44228

10.0

Apache Log4j RCE through JNDI lookup exploitation

Oracle WebLogic RCE

CVE-2017-10271

9.8

Remote code execution via T3 protocol

Oracle WebLogic Deserialization

CVE-2019-2725

9.8

Deserialization flaw enabling code execution