CTI Roundup: Email Attacks, Hunters International, and New Ransomware Data

This week, Tanium’s CTI team looks at a new attack that combines credential phishing and malware delivery. Next, it provides an update on Hunters International, a defunct ransomware-as-a-service (RaaS) operation rebranding to focus exclusively on data extortion. Finally, the team summarizes the latest ransomware data from the first quarter of 2025.

New attack combines credential phishing and malware

Cofense recently identified an attack that combines credential phishing and malware delivery.

The email in this attack uses file deletion as a lure. The message originates from the file-sharing site “files[.]fm” and a legitimate email address. If the victim clicks on the link in the email, they will be redirected to a legitimate “files[.]fm” URL. From here, the victim has the option to download a PDF.

[Read also: What is phishing? Types, risks, and prevention tips to know]

If the victim chooses to open the file, they will trigger a phishing and malware attack. The file will appear to contain harmless content and ask the victim to preview or download another file. An attack will execute regardless of whether the user chooses to preview or download the item.

How does credential and malware phishing work?

• If the victim clicks the “preview” option, they will be redirected to the traditional spoofed Microsoft 365 login page. This page seeks to steal credentials.
• If the victim selects “download,” an executable file will be loaded onto the device. Cofense found that the downloaded file is named to mislead the victim into thinking it is a OneDrive installer. This attack leads to the installation of ConnectWise RAT.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This campaign tries to exploit things that many employees are trained to look for, as the option to preview the file is also malicious.

The report from Cofense highlights a combination of techniques and the dangers of online file-sharing services, reiterating the importance of following your organization’s guidance for sharing files.

Hunters International pivots to data extortion

The defunct ransomware-as-a-service group known as Hunters International is rebranding its operation to focus solely on data extortion.

Researchers at Group-IB revealed that the group has remained active since it announced its shutdown late last year, focusing on its new extortion-only operation called “World Leaks.”

Who is Hunters International?

The Hunters International RaaS operation was first discovered in October 2023 and historically carried out double extortion attacks.

The group overlaps with the Hive ransomware group, leading some researchers to believe that Hunters International is a rebrand of Hive, though the operator claims to have just purchased the source code from Hive.

Hunters International targets several countries, but North America has the highest concentration of victims. Its top targeted industries include real estate, healthcare, and professional services.

The important role of the affiliate panel

Group-IB notes that the administrator is very business-focused, as seen in the operation’s affiliate panel. Hunters International affiliates can customize the ransomware using a web interface and manipulate certain pieces of it via command-line parameters.

The affiliate panel also has sections that some other operations do have, like news, payments, companies, and disclosure sections. When an affiliate logs into the panel, they can register their target of choice and set up the ransom payment amount.

The news section of the panel gave Group-IB a lot of insight into the operation. This section included details about offered services, updates to the operation, bug fixes, and so on.

After registering the target, the actor can download the actual ransomware, which Group-IB shares are compatible with. The latest variant of the ransomware does not drop ransom notes or append extensions to files.

The affiliate also receives access to “Storage Software,” a tool developed by Hunters International for multiple operating systems and architectures. It was created to automate data exfiltration and enable the actor to share information and make disclosures without uploading the data anywhere, keeping it on Hunter International’s server.

[Read also: What is data loss prevention? And why you need it]

Hunter International’s termination and rebrand

In November 2024, the group created a note in the news section of the panel announcing a plan to close the project, as it had become risky and unprofitable. Group-IB found that the group is still active despite this note, finding that they released a new project at the start of 2025 called World Leaks.

World Leaks does not carry out double extortion attacks but focuses solely on extortion-only attacks. According to Group-IB, the operation claims to give affiliates an exfiltration tool that is fully undetectable and similar to the Storage Software tool.

Shortly after the announcement of World Leaks, the operators put it on hold as they identified problems with the infrastructure. Based on the affiliate panel, Group-IB believes World Leaks will be active again, though no disclosures are on the data leak site just yet.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Hunters International isn’t the first group to pivot away from encryption to focus solely on data extortion. However, the list is short. It doesn’t seem that this is enough to consider an overall shift away from encryption, especially as encryption applies additional pressure to victims and may be more likely to end in a payout.

It’ll be interesting to see how many groups follow suit in the pivot from ransomware to pure extortion and how many continue to invest in and develop their encryption methods.

Group-IB has also shared technical details of Hunters International ransomware regarding how it targets different operating systems.

Ransomware remains a top threat

Rapid7’s latest report examines ransomware data for the first quarter of 2025, highlighting the need for businesses to continue to protect themselves proactively against ransomware.

The report covers several notable trends, including reinvested ransoms, repackaged offerings, restructured groups, and more.

Key Rapid7 ransomware report findings

According to Rapid7, 80 active ransomware groups existed during the first quarter of 2025, 16 of which were new as of the start of the year.

The top group by far was Cl0p. The quarter’s most targeted sectors included manufacturing, business services, and healthcare, while the most targeted countries were the U.S., Canada, and the U.K.

Reinvesting ransom payments

Rapid7 gathered insights from the Black Basta chat leaks back in February, concluding that ransomware groups are reinvesting ransom payments to purchase zero days.

As researchers looked through the chat logs, they found that the group was offered an Ivanti Connect Secure zero-day in 2023 for a price of $200,000. While there is no confirmation that the group actually made the purchase, and it doesn’t match the Ivanti Connect Secure CVEs that came shortly after, it does highlight the fact that actors may be purchasing zero-day exploits with the money made from ransoms.

This was further proven when Rapid7 found evidence that Black Basta purchased an exploit for Juniper firewall.

Repackaging ransomware

Ransomware groups are also repurposing older strains. A notable example in 2025 so far is the alleged resurgence of Babuk, which was discovered to be merely code taken from RansomHub, FunkSec, and LockBit.

Restructuring ransomware groups

As we see every quarter, ransomware groups continue to restructure, with some groups phasing out, new groups appearing, and affiliates moving between groups.

As part of this, many ransomware groups also go through a rebranding process.

Ransomware groups to watch in 2025

Rapid7 recommends keeping an eye on the following groups based on its data from the first quarter of 2025:

• RansomHub
• Cl0p
• Anubis
• Lynx
• Qilin

Analyst comments from Tanium’s Cyber Threat Intelligence team

Rapid7 nicely summarizes the current ransomware threat landscape, stating, “Business as usual, and business is booming.” Ransomware is keeping a steady tempo as newcomers continue to enter the landscape. All signs indicate the threat is here to stay.

Interestingly, Rapid7 notes that many groups are adopting the “if it ain’t broke, don’t fix it” mentality rather than continuously adjusting and introducing new threats. The report also highlights key actions organizations can take to ensure their safety.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.