.jpg)
%20Abstract%20Background%20112024%20SOURCE%20Amazon.jpg)
![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
Hunters International Overlaps Hive Ransomware Attacking Windows, Linux, and ESXi Systems
A sophisticated ransomware operation known as Hunters International emerged in October 2023, with strong evidence suggesting connections to the formerly dismantled Hive ransomware group. The initial attack was documented on October 13, 2023, when the group disclosed their first victim—an English company—on their data leak site. Security researchers quickly identified similarities between the new ransomware […] The post Hunters International Overlaps Hive Ransomware Attacking Windows, Linux, and ESXi Systems appeared first on Cyber Security News.
A sophisticated ransomware operation known as Hunters International emerged in October 2023, with strong evidence suggesting connections to the formerly dismantled Hive ransomware group.
The initial attack was documented on October 13, 2023, when the group disclosed their first victim—an English company—on their data leak site.
.webp)
Security researchers quickly identified similarities between the new ransomware and Hive’s code structure, suggesting that former Hive operators may have rebranded following law enforcement disruption earlier that year.
Hunters International demonstrates remarkable cross-platform capabilities, targeting Windows, Linux, FreeBSD, SunOS, and ESXi systems across x64, x86, and ARM architectures.
This versatility enables the threat actors to compromise diverse enterprise environments, with particular focus on real estate, healthcare, and professional services industries.
The attackers leverage a multi-stage approach, first exfiltrating sensitive data before deploying encryption payloads, establishing a powerful double extortion mechanism.
Group-IB researchers discovered that the operation provides affiliates with sophisticated tools, including the ransomware itself and a “Storage Software” utility designed to organize exfiltrated data.
.webp)
Their analysis revealed striking technical overlaps with Hive’s ransomware, particularly in encryption methods and command-line functionalities.
The operation has evolved significantly over time, with version 6 (released August 2024) implementing a “quiet mode” that no longer renames encrypted files or drops ransom notes—a technique similarly adopted by LockBit 4.
This evolution reflects the operators’ recognition that traditional indicators of compromise reduce payment likelihood when detected by security teams or regulators.
Detection Evasion Techniques
Hunters International employs multiple evasion tactics to remain undetected during execution.
For Windows systems, the ransomware is distributed as both executable and DLL formats, with the latter enabling execution through legitimate Windows processes.
Here the attackers can deploy the malware using trusted binaries:-
regsvr32.exe /c /n /i:"[OPTIONS] [PATHS]..." encrypter_windows_x64.dllThe ransomware preserves the first 0x41 bytes of each file, checking bytes 0x45-0x58 against a hardcoded value (‘A88830F163306FFE4E4C50EE730476D30C3CE4’) to determine if files have already been encrypted.
This selective encryption approach preserves file signatures, further complicating detection efforts. For ESXi environments, the operators provide specific instructions to disable security controls:-
esxcli system settings advanced set -o /VMkernel/execInstalledOnly -i 0Ransomware groups rely on skilled operators to adapt tactics. Group-IB reveals Hunters International’s evolving strategies based on global events.
Due to law enforcement crackdowns, attackers now target critical infrastructure, believing essential services will pay higher ransoms.
Ransomware payments are dropping while extortion-only payments rise which shoes, that groups may shift to exfiltration-only attacks with automation.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
The post Hunters International Overlaps Hive Ransomware Attacking Windows, Linux, and ESXi Systems appeared first on Cyber Security News.
