Hunters International

Threat Actor updated 17 days ago (2024-09-30T19:01:00.379Z)

Download STIX

Preview STIX

Hunters International is a threat actor group believed to be based in Russia, which has gained prominence in the cybersecurity landscape due to its malicious activities. The group is known for executing sophisticated ransomware attacks, leveraging a tool identified as SharpRhino to gain persistence and control over targeted systems. Hunters International does not prioritize any specific sector or region but targets opportunistically. They acquired Hive ransomware from its original owners after they disbanded following international law enforcement action. The group has been active since October of the previous year, during which time they have targeted more than a dozen organizations globally. In their operations, Hunters International exfiltrates data from victim organizations before encrypting files, changing file extensions to .locked and leaving a README message guiding victims to a chat portal on the Tor network for payment instructions. The group has leaked terabytes of sensitive data, including HR records, financial documents, personal employee information, FBI documents, case information, and operational data. In one instance, the group posted 386 GB of data that appeared to include files on gangs and other sensitive information. Despite this evidence, the group disputes being a rebranded Hive ransomware operation. Researchers from Quorum Cyber have been tracking the activities of Hunters International closely, providing valuable insights into the group's modus operandi. SharpRhino, the Remote Access Trojan (RAT) used by the group, establishes persistence by modifying system registries and creating directories to facilitate multiple channels to the group's command and control (C2) infrastructure. This progression of tactics showcases the evolution of Hunters International as a significant threat in the realm of cybercrime.

Description last updated: 2024-09-30T18:15:41.622Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Hive is a possible alias for Hunters International. Hive is a malicious software (malware) known for its ransomware capabilities, which has been highly active in numerous countries, including the US. This malware infects systems often through suspicious downloads, emails, or websites, disrupting operations and stealing personal information. Notably,	5
Hive Ransomware is a possible alias for Hunters International. Hive ransomware, a prominent threat actor active in 2022, was known for its widespread malicious activities in numerous countries, including the US. The group's modus operandi involved the use of SharpRhino, which upon execution, established persistence and provided remote access to the attackers, e	4
Blackmatter is a possible alias for Hunters International. BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Source

Ransom

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Hunters Malware is associated with Hunters International. Malware hunters, also known as bug hunters, are cybersecurity professionals who search for vulnerabilities in systems that can be exploited by malicious software (malware). In 2023, at the Pwn2Own Toronto event, these experts earned a total of $1,038,250 for identifying 58 unique zero-day vulnerabil	Unspecified	2
The Lockbit Malware is associated with Hunters International. LockBit is a notorious malware that operates on a ransomware-as-a-service model, which has been responsible for significant cyber attacks across the globe. One of its most high-profile targets was Boeing, from whom the LockBit gang claimed to have stolen data. This incident not only disrupted operat	Unspecified	2
The Conti Malware is associated with Hunters International. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware op	Unspecified	2
The Sharprhino Malware is associated with Hunters International. SharpRhino is a new malware employed by Hunters International, a group linked to Russia, with the primary purpose of infiltrating targeted infrastructure and establishing persistence. The malware disguises itself as the open-source network-administration tool, Angry IP Scanner, using typosquatting d	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Bl00dy Threat Actor is associated with Hunters International. Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant i	Unspecified	2

Source Document References

Information about the Hunters International Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	17 days ago	30th September – Threat Intelligence Report - Check Point Research
Malwarebytes	2 months ago	CODAC Behavioral Healthcare, US Marshalls are latest ransomware targets \| Malwarebytes
Securityaffairs	2 months ago	Security Affairs newsletter Round 484 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	2 months ago	Hunters International Masks SharpRhino RAT as Legit Network Admin Tool
CERT-EU	10 months ago	Hunters International targets Austal USA
CERT-EU	9 months ago	Gallup-McKinley County Schools Targeted By Hackers \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware
InfoSecurity-magazine	6 months ago	Ransomware Rising Despite Takedowns, Says Corvus Report
BankInfoSecurity	6 months ago	Ransomware Victims Who Pay a Ransom Drops to Record Low
Checkpoint	6 months ago	15th April – Threat Intelligence Report - Check Point Research
CERT-EU	7 months ago	EquiLend Employee Data Breached After January Ransomware Attack \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	7 months ago	Blackfog February State of Ransomware Report – Global Security Mag Online
CERT-EU	8 months ago	Critical infrastructure software maker confirms ransomware attack
Unit42	8 months ago	Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
CERT-EU	9 months ago	Ransomware Activity Surged in 2023, Likely to Evolve in 2024 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	A look back to plan ahead \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	Zeppelin Ransomware Source Code & Builder Sells for $500 on Dark Web \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	9 months ago	Zeppelin Ransomware Source Code & Builder Sells for $500 on Dark Web
CERT-EU	9 months ago	Hunters International Ransomware Adds Four New Victims \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	10 months ago	The law enforcement operations targeting cybercrime in 2023
CERT-EU	10 months ago	Integris Health patients get extortion emails after cyberattack