{ "id": "4de6dcaa-eb77-4ad5-9f60-d0271817775e", "created_at": "2026-04-06T00:14:13.632671Z", "updated_at": "2026-04-10T03:29:38.077571Z", "deleted_at": null, "sha1_hash": "422b301707b187a497e78c0fc8e8bf0ead32ffc4", "title": "New Hunters International RAT identified by Quorum Cyber", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 30817, "plain_text": "New Hunters International RAT identified by Quorum Cyber\r\nArchived: 2026-04-05 19:48:25 UTC\r\nIntroduction\r\nDuring a recent ransomware incident investigated by the Quorum Cyber Incident Response team, a malware\r\nvariant linked to the ThunderShell malware family was identified. The incident was attributed to Hunters\r\nInternational, based on tactics, techniques, and procedures (TTPs) observed during the investigation, as well as\r\nidentification within the ransom note itself. It is highly likely that this is the first time Hunters International has\r\nbeen reported deploying this Remote Access Trojan (RAT), based on there being no indicators of previous use.\r\nThis malware, dubbed SharpRhino by Quorum Cyber, utilised by the threat actor as an initial infection vector and\r\nsubsequent RAT, represents an evolution in the tactics, techniques, and procedures (TTPs) of Hunters\r\nInternational, demonstrating the continuous advancement and adaption of capabilities by Ransomware-as-a-Service (RaaS) threat groups.\r\nThe malware, named SharpRhino due to its use of the C# programming language, is delivered through a\r\ntyposquatting domain impersonating the legitimate tool Angry IP Scanner. On execution, it establishes persistence\r\nand provides the attacker with remote access to the device, which is then utilised to progress the attack. Using\r\npreviously unseen techniques, the malware is able to obtain a high level of permission on the device in order to\r\nensure the attacker is able to further their targeting with minimal disruption.\r\nThis post outlines the Quorum Cyber Threat Intelligence team’s analysis of the malware and its capabilities,\r\nincluding a strategic outline of Hunters International as a prominent ransomware group. Also provided is a\r\nMITRE ATT\u0026CK mapping, as well as Indicators of Compromise (IoCs) related to SharpRhino and Hunters\r\nInternational.\r\nSource: https://www.quorumcyber.com/insights/sharprhino-new-hunters-international-rat-identified-by-quorum-cyber/\r\nhttps://www.quorumcyber.com/insights/sharprhino-new-hunters-international-rat-identified-by-quorum-cyber/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.quorumcyber.com/insights/sharprhino-new-hunters-international-rat-identified-by-quorum-cyber/" ], "report_names": [ "sharprhino-new-hunters-international-rat-identified-by-quorum-cyber" ], "threat_actors": [ { "id": "eb01bdec-5c18-4479-b343-cf58076dacf1", "created_at": "2024-08-10T02:02:56.273673Z", "updated_at": "2026-04-10T02:00:03.773129Z", "deleted_at": null, "main_name": "GOLD CRESCENT", "aliases": [ "Hunters International", "World Leaks" ], "source_name": "Secureworks:GOLD CRESCENT", "tools": [ "Hunters International", "SharpRhino" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434453, "ts_updated_at": 1775791778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/422b301707b187a497e78c0fc8e8bf0ead32ffc4.pdf", "text": "https://archive.orkl.eu/422b301707b187a497e78c0fc8e8bf0ead32ffc4.txt", "img": "https://archive.orkl.eu/422b301707b187a497e78c0fc8e8bf0ead32ffc4.jpg" } }