THREAT ACTOR

World Leaks

6.1
THREAT LEVEL
EMERGENCE DATE
Jan 2025
CATEGORY
Ransomware-as-a-Service
Data Extortion Only
AFFILIATIONS

Direct rebrand of Hunters International (ceased operations July 2025). Confirmed partnership with Secp0 ransomware group utilizing shared leak site infrastructure.

DEscription

Emerging January 2025 as strategic rebrand of Hunters International, the operation represents a departure from traditional ransomware through marketed abandonment of file encryption, though some incidents report encryption deployment. Distinguished by four-platform infrastructure including innovative Insider journalist portal providing 24-hour advance access to stolen data, the platform functions as Extortion-as-a-Service (EaaS) providing custom exfiltration tooling to affiliates. As of October 2025, operations have impacted numerous organizations with majority targeting United States entities, yet no official government cybersecurity advisories exist.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS), Data Extortion Only

World Leaks functions as affiliate-based Extortion-as-a-Service (EaaS) platform marketed as eliminating file encryption, though some incidents report encryption deployment. The operation provides proprietary Storage Software exfiltration tooling to affiliates while maintaining four-platform infrastructure: main data leak site, victim negotiation portal with live chat, affiliate management panel, and Insider journalist platform granting media outlets 24-hour advance access to stolen data before public release. Confirmed collaboration with Secp0 ransomware group demonstrates platform attractiveness as shared extortion infrastructure.

Current Status: Remains active as of October 2025 with moderate tempo, claiming numerous victims across ten-month period without government disruption actions.

Threat Level:
6.1

Origins and Methodology

World Leaks operates as data-only extortion platform marketed without traditional file encryption, though some incidents report encryption deployment despite this stated model. The Insider journalist platform weaponizes advance publicity by granting media outlets 24-hour early access to breached data, amplifying reputational damage beyond standard leak sites. The proprietary Storage Software uses SOCKSv5 proxy via TOR with metadata indexing eliminating full data uploads to central servers.

Core operators maintained anonymity across four years spanning three organizational identities despite FBI infiltration of predecessor infrastructure.

What is the Evolution of World Leaks Ransomware?
0.1
Formation

Launching January 2025 as third evolutionary generation, the platform emerged from Hunters International rebrand following internal communications from November 2024 where operators indicated traditional ransomware had become too risky and unprofitable due to law enforcement scrutiny and declining payment rates.

Initial operations suffered infrastructure instability forcing temporary shutdown during early 2025, with first victim published late April 2025, following development period addressing technical issues.

0.2
EVOLUTION

The operation evolved from Hunters International which ceased operations July 2025 offering free decryptors to previous victims. Current operations since January 2025 represent pivot marketed as eliminating encryption entirely, using custom exfiltration tooling with SOCKSv5 proxy and TOR-based communications.

Attack timelines accelerate from initial access to extortion demands within days rather than traditional multi-week campaigns. Platform attractiveness shown through confirmed Secp0 ransomware partnership publishing victims through shared infrastructure.

0.3
Lineage/Connections

Infrastructure patterns, victim notification methodologies, and negotiation portal architectures connect operations to Hunters International. The transition maintained similar infrastructure and tactics traceable to same operational crew. Core operators remain unidentified despite operational continuity spanning multiple rebrands.

Which Unique Techniques Does World Leaks Use?

Attack methodologies prioritize valid credential exploitation in environments with misconfigured or absent multi-factor authentication. The UNC6148 campaign exploited end-of-life SonicWall SMA 100 devices through OVERSTEP rootkit deployment, with victims appearing on World Leaks leak site following compromises, though temporal correlation rather than definitive technical attribution establishes this connection.

TECHNIQUE

DETAILS

Infection Vectors

Compromised VPN credentials lacking MFA (primary vector per incident response analysis); SonicWall SMA 100 exploitation via OVERSTEP rootkit in UNC6148 campaign, with CVE-2024-38475, CVE-2021-20038, and CVE-2021-20035 associated with campaign activity; targeted phishing for credential compromise

Target Selection

Organizations with exposed remote access entry points (VPN, RDP, public-facing applications); entities storing sensitive data under regulatory compliance (GDPR, HIPAA, state breach laws); environments with end-of-life SonicWall SMA 100 equipment; entities with weak endpoint security and inadequate DLP

Operational Complexity

Reduced complexity through eliminated encryption deployment; custom Storage Software exfiltration tool using SOCKSv5 proxy via TOR; metadata indexing without full central uploads reducing forensic exposure; four-platform infrastructure including journalist access amplifying pressure; affiliate-based operations creating infrastructure diversity

Key Features & Technical Details

The operational model departs from traditional ransomware through complete elimination of file encryption, focusing exclusively on data exfiltration and threatened exposure.

FEATURE

DETAILS

Encryption Method

Marketed as data-only extortion without file encryption; some incidents report encryption deployment

File Extension

No standard encrypted file markers in data-only operations; varies when encryption deployed

Ransom Note

Email notifications with credentials accessing private negotiation portals on TOR network; portals display company financials, browsable file explorers of stolen data, payment tabs with Bitcoin addresses, and live chat with operators

Double Extortion

Data exfiltration via custom Storage Software tool supporting Windows and Linux across x86 and x64 architectures; uses cloud storage particularly MEGA; terabyte-scale theft documented with volumes reaching 1.3TB comprising 416,000+ files

Communication Channels

TOR hidden services: Main leak site at worldleaksartrjm3c6vasllvgacbi5u3mgzkluehrzhk2jz4taufuid[.]onion; negotiation portal at vw6vklsuotptwdbiwqfvd7y4b57wdbfm6ypxduzzgbt62snti6jm76yd[.]onion; Insider journalist platform at 3jguvp6xhyypdjgxhxweu4zklse66v3awjj2zljpftcjyeoimepnwtyd[.]onion providing 24-hour advance access to stolen data; SOCKSv5 proxy connections for affiliate tooling

Deployment Speed

Accelerated timeline through eliminated encryption phase; attacks proceed from initial access to extortion demand within days

Payment Method

Bitcoin with freshly-generated wallet addresses per victim containing no transaction history; negotiation portals display unique addresses with live chat

Operational Model

Affiliate-based EaaS platform providing proprietary Storage Software exfiltration tooling; four-component infrastructure including main leak site, victim negotiation portal, Insider journalist platform (24-hour advance data access), and affiliate management panel; confirmed collaboration with Secp0 ransomware utilizing shared infrastructure

Activities

Maintaining moderate operational tempo since January 2025 launch, operations have claimed numerous organizations across ten-month period, absent from Halcyon Anti Ransomware and Cyber Resilience Platform Power Rankings top 29 most active operations. Initial operations during early 2025 suffered infrastructure instability forcing temporary shutdown, with first victim published late April 2025.

Geographic distribution shows concentrated focus on United States organizations representing majority of confirmed victims, with secondary targeting in Canada, Germany, Belgium, and India, plus additional presence across European nations.

Which Industries Are Most Vulnerable to SafePay?

Sector targeting emphasizes healthcare organizations, manufacturing and production entities, technology companies, consumer services, and energy and utilities critical infrastructure, with demonstrated capability against defense contractors and Fortune 500 organizations.

HAL Most Recent Attacks

Modus Operandi

Attack chains prioritize exploitation of valid credentials in environments with inadequate access controls, progressing through reconnaissance, lateral movement, and systematic data exfiltration without encryption deployment.

Details

Exploitation of compromised VPN credentials lacking multi-factor authentication through Valid Accounts (T1078), representing most common attack vector observed across World Leaks incidents. Targeting of internet-facing VPN infrastructure, RDP, and public-facing applications via External Remote Services (T1133).

SonicWall SMA 100 exploitation through Exploit Public-Facing Application (T1190) deploying OVERSTEP rootkit in UNC6148 campaign, with CVE-2024-38475, CVE-2021-20038, and CVE-2021-20035 associated with campaign activity; targeted phishing campaigns via Phishing (T1566).

Details

Automated system enumeration through System Information Discovery (T1082) executing net.exe and whoami commands. Comprehensive file system scanning via File and Directory Discovery (T1083) identifying high-value data targets. Network Share Discovery (T1135) for identifying network shares supporting lateral movement and data exfiltration.

Details

Limited public documentation of specific RAT deployment in World Leaks operations; affiliate operators may deploy varied remote access tooling.

Details

Obfuscation techniques in exfiltration tooling via Obfuscated Files or Information (T1027). OVERSTEP rootkit operations use log deletion and manipulation through Indicator Removal on Host (T1070), modifying httpd.log, http_request.log, and inotify.log. Security control disablement via Impair Defenses (T1562).

Details

Mimikatz deployment and LSASS process access for credential harvesting through OS Credential Dumping (T1003). Extraction of stored credentials from browsers and applications via Credentials from Password Stores (T1555).

Details

SOCKSv5 proxy connections via TOR for C2 communications through Proxy (T1090). HTTPS and encrypted communications via Application Layer Protocol (T1071); TOR-based encrypted communications through Encrypted Channel (T1573).

Details

SMB, RDP, and SSH use for lateral movement via Remote Services (T1021). Movement of exfiltration tools across network segments through Lateral Tool Transfer (T1570).

Details

Data exfiltration through custom Storage Software tooling via TOR connections through Exfiltration Over Alternative Protocol (T1048). Cloud storage services particularly MEGA via Exfiltration Over Web Service (T1567).

Direct data transfer through established command and control infrastructure via Exfiltration Over C2 Channel (T1041). OVERSTEP campaign used TAR archive creation through Archive Collected Data (T1560), placing archives in web-accessible directories.

Details

Scheduled tasks via Scheduled Task/Job (T1053). OVERSTEP rootkit establishes persistence through /etc/ld.so.preload configuration file modifications and libsamba-errors.so.6 malicious library deployment in SonicWall compromises. Credential manipulation for sustained access via Account Manipulation (T1098).

Details

Financial Theft (T1657) through extortion demands and cryptocurrency payment collection. Reputational damage via Defacement (T1491) through threatened data exposure and leak site publication. Systems remain functional during extortion period, with impact concentrated on reputational damage, regulatory exposure, and competitive intelligence loss.

Details

World Leaks markets data exfiltration operations without file encryption component, though some incidents report encryption deployment despite this stated operational model.

Details

Four-platform extortion methodology: main leak site displaying victims with countdown timers; private negotiation portals via TOR showing company financials, browsable file explorers, and Bitcoin payment tabs with freshly-generated addresses; Insider journalist platform granting 24-hour advance access to leak data before public release.

Details

OVERSTEP rootkit operations show log deletion and manipulation through modifications of httpd.log, http_request.log, and inotify.log files. Data-only operational model produces minimal traditional forensic artifacts compared to encryption-based operations.

Indicators of Compromise (IOCs)

Technical indicators remain extremely limited due to ten-month operational history, data-only extortion model leaving minimal forensic artifacts, and affiliate-based operations creating varied tooling.

INDICATOR

DETAILS

File Hashes

OVERSTEP Rootkit (World Leaks-linked UNC6148 Campaign): Hash unavailable - Google GTIG provided YARA detection rule
Malicious library: libsamba-errors.so.6 (specific hash not publicly disclosed)

World Leaks Exfiltration Tooling: No public file hashes available for Storage Software

IP Addresses

193.149.180.50 (BitLaunch BLNWX VPS used for SSL VPN sessions in UNC6148 campaign linked to World Leaks victim)

Domains/URLs

World Leaks Main Leak Site: worldleaksartrjm3c6vasllvgacbi5u3mgzkluehrzhk2jz4taufuid[.]onion (TOR hidden service)
World Leaks Negotiation Portal: vw6vklsuotptwdbiwqfvd7y4b57wdbfm6ypxduzzgbt62snti6jm76yd[.]onion (TOR hidden service)
World Leaks Insider Journalist Platform: 3jguvp6xhyypdjgxhxweu4zklse66v3awjj2zljpftcjyeoimepnwtyd[.]onion (TOR hidden service)

File Paths

OVERSTEP Rootkit Indicators (World Leaks-linked UNC6148 Campaign):
/cf/libsamba-errors.so.6 (staging location)
/usr/lib/libsamba-errors.so.6 (final deployment)
/etc/ld.so.preload (persistence configuration - abnormally enlarged from normal 2 bytes)
/cf/firmware/current/INITRD.GZ (modified boot files)
/tmp/temp.db (exfiltrated credential database)
/etc/EasyAccess/var/conf/persist.db (exfiltrated credential database)
/usr/src/EasyAccess/www/htdocs/ (TAR archive placement for attacker download)

File Extensions

World Leaks data-only extortion produces no encrypted file markers

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

Apache HTTP Server Path Traversal

CVE-2024-38475

N/A

Unauthenticated path traversal allowing SQLite database exfiltration containing credentials and OTP seed values in SonicWall SMA; associated with UNC6148 campaign

SonicWall SMA 100 Remote Code Execution

CVE-2021-20038

9.8 (Critical)

Unauthenticated remote code execution via memory corruption in end-of-life SonicWall devices; exploitation may require 200,000+ HTTP requests; OVERSTEP rootkit deployment observed in UNC6148 campaign

SonicWall SMA Authenticated RCE

CVE-2021-20035

7.2 (High)

Authenticated remote code execution via command injection in /cgi-bin/sitecustomization; associated with UNC6148 campaign

SonicWall SMA Authenticated RCE

CVE-2021-20039

7.2 (High)

Authenticated remote code execution via command injection in /cgi-bin/viewcert; previously used in various ransomware intrusions

SonicWall Credential Reset

CVE-2025-32819

N/A

Authenticated file deletion reverting built-in admin credentials to default "password"

Additional Attack Vectors: Compromised VPN credentials in environments lacking multi-factor authentication (primary World Leaks attack vector per incident response analysis); credential harvesting from infostealer malware logs; targeted phishing campaigns; RDP brute-forcing; exploitation of misconfigured remote access infrastructure.

OVERSTEP Rootkit YARA Detection Rule: Google Threat Intelligence Group provided detection signature for OVERSTEP backdoor used in UNC6148 campaign targeting SonicWall SMA devices. Victims appearing on World Leaks leak site following UNC6148 compromises suggest connection, though temporal correlation rather than definitive technical attribution establishes this link.