Hunters International

Threat Actor updated a month ago (2024-10-21T09:01:58.915Z)

Download STIX

Preview STIX

Hunters International, an active threat actor group since October of the previous year, has been identified as a significant cybersecurity concern. The group has taken over and rebranded the Hive ransomware, despite their disputes about this association. This development followed the disbandment of the original Hive group by international law enforcement. Hunters International has been linked to Russia and is known for its indiscriminate targeting approach, focusing on opportunistic means rather than prioritizing any specific sector or region. The group's modus operandi involves exfiltrating data from victim organizations prior to encrypting files, changing file extensions to .locked, and leaving a README message with payment instructions through a chat portal on the Tor network. In one notable attack, the Hunters International ransomware gang claimed responsibility for leaking terabytes of sensitive data, including HR records, financial documents, personal employee information, and even specific case information and operational data from the FBI. They have also posted 386 GB of data that includes files on other gangs. Researchers from Quorum Cyber have identified a new Remote Access Trojan (RAT) associated with Hunters International, dubbed SharpRhino. This RAT is designed to establish persistence and control over targeted systems, facilitating sophisticated ransomware attacks for financial gain. The installer system modifies registry keys and establishes directories to facilitate multiple channels to Hunters International's command and control (C2) as a fallback mechanism. The evolution of SharpRhino demonstrates the progression of Hunters International's capabilities and sophistication in carrying out cyberattacks.

Description last updated: 2024-10-21T08:32:27.672Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Hive is a possible alias for Hunters International. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	5
Hive Ransomware is a possible alias for Hunters International. Hive ransomware, a prominent threat actor active in 2022, was known for its widespread malicious activities in numerous countries, including the US. The group's modus operandi involved the use of SharpRhino, which upon execution, established persistence and provided remote access to the attackers, e	4
Blackmatter is a possible alias for Hunters International. BlackMatter, a threat actor in the cybersecurity realm, is known for its malicious activities and has been linked to several ransomware strains. The group emerged as a successor to the DarkSide ransomware, which was responsible for the high-profile attack on the Colonial Pipeline in May 2021. Howeve	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Source

Ransom

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Hunters Malware is associated with Hunters International. Malware hunters, often referred to as bug hunters, play a critical role in cybersecurity by identifying and addressing vulnerabilities in software systems. In 2023, these professionals proved their worth at the Pwn2Own Toronto event where they identified 58 unique zero-day vulnerabilities, earning a	Unspecified	2
The Lockbit Malware is associated with Hunters International. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	2
The Conti Malware is associated with Hunters International. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	Unspecified	2
The Sharprhino Malware is associated with Hunters International. SharpRhino is a new malware employed by Hunters International, a group linked to Russia, with the primary purpose of infiltrating targeted infrastructure and establishing persistence. The malware disguises itself as the open-source network-administration tool, Angry IP Scanner, using typosquatting d	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Bl00dy Threat Actor is associated with Hunters International. Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant i	Unspecified	2

Source Document References

Information about the Hunters International Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	Omni Family Health data breach impacts 468,344 individuals
Checkpoint	2 months ago	30th September – Threat Intelligence Report - Check Point Research
Malwarebytes	3 months ago	CODAC Behavioral Healthcare, US Marshalls are latest ransomware targets \| Malwarebytes
Securityaffairs	3 months ago	Security Affairs newsletter Round 484 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	3 months ago	Hunters International Masks SharpRhino RAT as Legit Network Admin Tool
CERT-EU	a year ago	Hunters International targets Austal USA
CERT-EU	10 months ago	Gallup-McKinley County Schools Targeted By Hackers \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware
InfoSecurity-magazine	7 months ago	Ransomware Rising Despite Takedowns, Says Corvus Report
BankInfoSecurity	7 months ago	Ransomware Victims Who Pay a Ransom Drops to Record Low
Checkpoint	7 months ago	15th April – Threat Intelligence Report - Check Point Research
CERT-EU	8 months ago	EquiLend Employee Data Breached After January Ransomware Attack \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	Blackfog February State of Ransomware Report – Global Security Mag Online
CERT-EU	9 months ago	Critical infrastructure software maker confirms ransomware attack
Unit42	10 months ago	Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
CERT-EU	10 months ago	Ransomware Activity Surged in 2023, Likely to Evolve in 2024 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	10 months ago	A look back to plan ahead \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	10 months ago	Zeppelin Ransomware Source Code & Builder Sells for $500 on Dark Web \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	a year ago	Zeppelin Ransomware Source Code & Builder Sells for $500 on Dark Web
CERT-EU	a year ago	Hunters International Ransomware Adds Four New Victims \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	The law enforcement operations targeting cybercrime in 2023