Introduction
Hunters International is a ransomware group first identified in October 2023, believed to have taken over or rebranded from the now-defunct Hive ransomware operation. Shortly after its emergence, security researchers found significant code overlaps with Hive, suggesting that Hunters International either acquired Hive’s source code or involved former Hive developers. The group operates a double-extortion model—encrypting victim data and threatening to leak it on a Tor-based site. It has targeted organizations worldwide across healthcare, manufacturing, education, and government sectors. The ransomware is written in Rust, supports both Windows and Linux/ESXi environments, and appends extensions such as .locked to encrypted files. Initial access is typically obtained via compromised RDP credentials, phishing campaigns, or vulnerabilities in exposed systems.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.
Recent News
Latest articles from security news feeds mentioning this actor.
- Charter confirms data breach after ShinyHunters extortion threat BleepingComputer - 2026-05-26T