Hotarus

Also known as: Hotarus

Hotarus is a ransomware and data extortion group first observed in March 2021, believed to be linked to threat actors of Latin American origin. The group has targeted entities in South America and the United States, including financial institutions, government agencies, and private companies. Hotarus is known for deploying both custom ransomware and publicly available tools, alongside stealing sensitive information for double-extortion purposes. The group has been observed exploiting vulnerable web services, using stolen credentials, and leveraging publicly available post-exploitation frameworks to gain persistence in victim networks. Encrypted files are typically appended with extensions such as .hotarus or campaign-specific identifiers, and ransom notes direct victims to communicate via encrypted email services. Notably, in some campaigns, Hotarus deployed data leak threats without encrypting files, focusing solely on exposure as a pressure tactic.

Introduction

Hotarus is a ransomware and data extortion group first observed in March 2021, believed to be linked to threat actors of Latin American origin. The group has targeted entities in South America and the United States, including financial institutions, government agencies, and private companies. Hotarus is known for deploying both custom ransomware and publicly available tools, alongside stealing sensitive information for double-extortion purposes. The group has been observed exploiting vulnerable web services, using stolen credentials, and leveraging publicly available post-exploitation frameworks to gain persistence in victim networks. Encrypted files are typically appended with extensions such as .hotarus or campaign-specific identifiers, and ransom notes direct victims to communicate via encrypted email services. Notably, in some campaigns, Hotarus deployed data leak threats without encrypting files, focusing solely on exposure as a pressure tactic.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • UNITEDRAKE:
  • Xploit:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.