{
	"id": "fff3688d-e5b9-4069-9c1a-da0c4c30fc96",
	"created_at": "2026-04-06T00:07:16.252048Z",
	"updated_at": "2026-04-10T13:11:43.43738Z",
	"deleted_at": null,
	"sha1_hash": "931b46eba461610891ce2293b534fc8480b4adb8",
	"title": "CrazyHunter Campaign Targets Taiwanese Critical Sectors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1201797,
	"plain_text": "CrazyHunter Campaign Targets Taiwanese Critical Sectors\r\nBy Maristel Policarpio, Sarah Pearl Camiling, Jacob Santos, Cj Arsley Mateo, Ieriz Nicolle Gonzalez ( words)\r\nPublished: 2025-04-16 · Archived: 2026-04-05 23:50:21 UTC\r\nRansomware\r\nThis blog entry details research on emerging ransomware group CrazyHunter, which has launched a sophisticated\r\ncampaign aimed at Taiwan's essential services.\r\nBy: Maristel Policarpio, Sarah Pearl Camiling, Jacob Santos, Cj Arsley Mateo, Ieriz Nicolle Gonzalez Apr 16,\r\n2025 Read time: 8 min (2087 words)\r\nSave to Folio\r\nKey takeaways\r\nCrazyHunter has established itself as a significant ransomware threat, specifically targeting Taiwanese\r\norganizations, predominantly in healthcare, education, and industrial sectors. Attacks on these critical\r\nsectors could disrupt the delivery of essential services.\r\nCrazyHunter employs sophisticated techniques, notably the Bring Your Own Vulnerable Driver (BYOVD)\r\nmethod, which allows them to circumvent security measures effectively.\r\nThe group broadened its toolkit by integrating open-source tools from GitHub, such as the Prince\r\nRansomware Builder and ZammoCide, to further enhance their operational capabilities.\r\nApproximately 80% of CrazyHunter's toolkit consists of open-source tool. It is important to monitor and\r\nsecure these resources to prevent the adaptation for malicious use.\r\nTrend Vision One™ detects and blocks the malicious components used in the CrazyHunter campaign.\r\nTrend Vision One customers can also access hunting queries, threat insights, and intelligence reports to\r\ngain rich context on the latest CrazyHunter IoCs. For additional best practices, see security\r\nrecommendations provided below.\r\nCrazyHunter has quickly emerged as a serious ransomware threat. The group made their introduction in the past\r\nmonth with the opening of their data leak site where they posted ten victims – all located from Taiwan. We have\r\nfollowed some of their operations through internal monitoring since the start of January and have witnessed a\r\nclear pattern of specifically targeting organizations in Taiwan. The victims of the group consists mainly of\r\nhospitals and medical centers, educational institutions and universities, manufacturing companies, and industrial\r\norganizations, which reflects a targeted focus on organizations with valuable data and sensitive operations.\r\nThis report introduces the tactics, techniques, and procedures (TTPs) utilized by CrazyHunter. It highlights the use\r\nof Bring Your Own Vulnerable Driver (BYOVD) and open-source tools on the GitHub platform, like the Prince\r\nransomware builder. Recent findings indicate CrazyHunter's toolset expansion, modification of the tools it initially\r\nused, and improved capability.\r\nhttps://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html\r\nPage 1 of 10\n\nDuring hunting in our internal telemetry, we encountered malicious artifacts that contains the following interesting\r\nitems: a hack tool taking advantage of Group Policy Object (GPO) policies, a vulnerable driver exploits in the\r\nform of a process killer, and a few executable files compiled with the Go programming language.\r\nKey findings on CrazyHunter’s campaigns\r\nThe addition of the Prince ransomware builder in their toolkit is especially concerning. This tool is readily\r\naccessible from GitHub and further lowers the barriers to entry for cybercriminals by providing a user-friendly\r\nmeans to create ransomware variants. Its BYOVD technique to evade security shows its advanced methods.\r\nImprovements on newly shared utilities from SharpGPOAbuse, better AV/EDR capabilities, and Go-compiled\r\nexecutables have made CrazyHunter's operations increasingly prevalent.\r\nCrazyHunter’s emergence presents a significant threat to critical sectors in Taiwan, particularly in sectors such as\r\nhealthcare and education. Disruptions in these areas could affect the delivery of essential services.\r\nDuring our investigation, we identified three main points of interest:\r\nUse of open-source software found on GitHub.\r\nAn enhanced toolkit and tools for implementation.\r\nAttacks focusing mainly on Taiwan.\r\nOur research discovered that the attackers strategically and deliberately targeted Taiwan, which indicates a\r\ncampaign specifically against the region. They used open-source tools from GitHub and expanded their range of\r\ntools and methods to increase the sophistication of their operations.\r\nThe use of open-sourced tools from GitHub\r\nAround 80% of CrazyHunter's toolset consists of open-source tools from GitHub. Our observations suggest that\r\nthey modify these freely available source codes to fit their specific needs and significantly enhance their\r\ncapabilities.\r\nWe’ve identified three open-sourced tools that came from GitHub, each serving a distinct purpose:\r\nDefense Evasion\r\nThe group uses a tailored variant of an open-source process killer tool called ZammoCideopen on a new tab and\r\nadapts it to be an AV/EDR killer capable of terminating processes belonging to EDR products through a BYOVD\r\napproach taking advantage of the vulnerable driver zam64.sys.\r\nhttps://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html\r\nPage 2 of 10\n\nBased on our internal telemetry, we observed that the group attempted to use modified versions of these tools in its\r\nattacks. We have numbered these versions according to their respective improvements and modifications. You may\r\nview the full details here.\r\nUpon execution, it looks for the vulnerable Zemana Anti-Malware driver (zam64.sys) in the default path folder to\r\nexploit its ability to terminate high-privileged processes. It then creates and starts a service called “ZammOcide,\"\r\nwhich loads the driver and exposes a device object at \\\\.\\ZemanaAntiMalware. A user-mode process\r\ncommunicates with the driver via IOCTL codes, triggering a kernel mode operation to forcefully terminate\r\nprocesses.\r\nThe program targets and terminates specific hardcoded process names, primarily associated with AV and EDR\r\nproducts, while also targeting processes from Microsoft Defender and Avira. While the disabler runs, it\r\ncontinuously terminates these processes, even if they respawn with different IDs.\r\nPrivilege Escalation / Lateral Movement\r\nThe team makes use of SharpGPOAbuseopen on a new tab, to exploit Group Policy Objects (GPO). Taking\r\nadvantage of the edit rights the user possesses on a GPO, they are in a position to compromise the objects\r\ncontrolled through the GPO and therefore, deploy payloads and attain privilege escalation and lateral movements\r\nin the victim's network.\r\nhttps://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html\r\nPage 3 of 10\n\nImpact (Ransomware)\r\nThe attack is spearheaded by a variant of Prince ransomwareopen on a new tab, a Go-based bespoke ransomware.\r\nThe ransomware uses ChaCha20 and ECIES encryption to encrypt the files securely, and the attackers have\r\ncustomized it the addition of the \".Hunter\" extension to the encrypted files. The ransomware drops a ransom note\r\nnamed \"Decryption Instructions.txt,\" modifies the victim's desktop wallpaper, and demands a ransom payment.\r\nhttps://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html\r\nPage 4 of 10\n\nThe lists below detail the extensions and directories whitelisted by the ransomware. These whitelisted items are\r\nexcluded from encryption, allowing critical system functions and specific applications to continue running. This\r\nstrategy helps evade detection and facilitates the ransomware's objectives.\r\nList of whitelisted extension:\r\n.bat\r\n.com\r\n.dll\r\n.exe\r\n.inf\r\n.ini\r\n.lnk\r\n.msi\r\n.ps1\r\n.reg\r\n.scr\r\n.sys\r\n.vbs\r\nList of whitelisted directories:\r\n.dotnet\r\n.gradle\r\n.nuget\r\n.vscode\r\n\\\\system volume information\r\nappdata\r\nboot\r\nefi\r\nintel\r\nhttps://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html\r\nPage 5 of 10\n\nmicrosoft\r\nmsys64\r\nperflogs\r\nprogram files\r\nprogram files (x86)\r\nprogramdata\r\npublic\r\npublic\r\nsystem volume information\r\nsystem32\r\nwindows\r\nAn expanded toolset and methods of execution\r\nThe attackers have not only relied on open-source tools but have also broadened their toolset and methods of\r\nexecution. This indicates a strategic effort to enhance the complexity and effectiveness of their operations,\r\nensuring the success of their attacks\r\nExecution\r\nThe group utilizes a batch script to execute multiple binaries, ultimately leading to the deployment of the\r\nransomware payload.\r\nhttps://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html\r\nPage 6 of 10\n\nThe script initiates a sequence to deploy ransomware while avoiding detection:\r\n1. Initial Execution:\r\nRun go2.exe and go.exe to exploit zam64.sys for disabling processes.\r\nLaunch go3.exe for ransomware deployment.\r\n2. Ensuring Anti-AV Measures:\r\nIf go.exe is not running, execute av-1m.exe (similar functionality to go2.exe and go.exe, but compiled in\r\nC++).\r\n3. Final Ransomware Deployment:\r\nTo evade detection, use bb.exe to load and execute crazyhunter.sys for ransomware deployment.\r\nIf crazyhunter.sys execution fails, launch the compiled EXE version of the ransomware for final\r\ndeployment.\r\nThese redundant measures ensure that ransomware deployment remains effective even if primary methods fail.\r\nFigure 6 illustrates the flowchart of the ransomware deployment process to visualize these events.\r\nPersistence / Exfiltration\r\nhttps://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html\r\nPage 7 of 10\n\nAnother Go-based program named \"file.exe\" is also used. It serves as a monitoring tool for changes in Web-related files and a file server for potential exfiltration. Its main function provides two primary operating modes:\r\n1. Monitor Mode - Periodically scans files with specific extensions\r\n2. File Server Mode - Runs a web server on a configurable port\r\nThis file accepts several command-line flags:\r\nFlag Type Default Description\r\n-white bool FALSE Toggle between whitelist (true) and blacklist (false) mode\r\n-e string \".asp\" File extensions to monitor (.asp, .php, .jsp)\r\n-d string Current path Directory path to monitor or serve\r\n-func string \"\" Function mode: \"monitor\" or \"fileserver\"\r\n-port int 9999 Port number for file server mode\r\n-f string \"1.asp\" Files to exclude from monitoring\r\n=-t int 1000 Time interval in seconds (1000=1S)\r\nTable 1: Command-Line parameters of file.exe with its description\r\nAttacks focusing mainly on Taiwan\r\nThe geographical focus of these attacks has been predominantly on Taiwan, indicating a targeted campaign against\r\nthis specific region. Based on their leak site, the ten victims identified are from Taiwan. Our internal data also\r\nreveals that this group exclusively targets small and medium-sized businesses within Taiwan.\r\nWe also observed that the customized group contact email, payment[.]attack-tw1337@proton[.]me, prominently\r\ndisplayed on the ransom note, contains the \"tw\" designation. This suggests that the ransomware group specifically\r\nhttps://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html\r\nPage 8 of 10\n\ntargets Taiwanese entities.\r\nThe strategic use of open-source tools from GitHub significantly enhanced the group's capabilities for defense\r\nevasion, lateral movement, and impactful operations. By expanding their toolset and methods of execution,\r\nattackers have demonstrated an evolution in their strategies along with their persistence. Their deliberate and\r\nfocused campaign stresses the growing threat they pose. This highlights the pressing need for strong cybersecurity\r\nmeasures to counteract the advanced techniques used by ransomware groups.\r\nSecurity recommendations\r\nRansomware is a growing threat, and enterprises must adopt a proactive approach to safeguard their operations.\r\nHere are general best practices, including specific guidelines to protect against threats leveraging Bring Your Own\r\nVulnerable Driver (BYOVD) techniques and open-source tools from platforms like GitHub:\r\nEnsure users only have access to the data and systems essential for their roles.\r\nRequire MFA for all user accounts, particularly for administrative access.\r\nEnsure that all operating systems, applications, and drivers are regularly updated and patched to eliminate\r\nknown vulnerabilities.\r\nPerform daily backups of critical data and systems to an isolated environment that ransomware cannot\r\nreach.\r\nPeriodically audit user permissions and revoke those that are no longer needed.\r\nUtilize endpoint protection software that specifically guards against BYOVD techniques by monitoring and\r\nblocking unauthorized driver installations.\r\nRegularly conduct training sessions to help employees recognize phishing attempts, suspicious links, and\r\nother common attack vectors.\r\nMaintain an inventory of all device drivers in use and regularly review them for any unauthorized\r\ninstallations or modifications.\r\nRegularly review the list of installed drivers and disable any that are not in use to minimize potential\r\nattacks.\r\nEnsure that only approved versions of drivers are allowed and that they are kept up-to-date.\r\nProactive security with Trend Vision One™\r\nTrend Vision Oneone-platform™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber\r\nrisk exposure management, security operations, and robust layered protection. This comprehensive approach helps\r\nyou predict and prevent threats, accelerating proactive security outcomes across your digital estate. Backed by\r\ndecades of cybersecurity leadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it delivers\r\nproven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can\r\nbenchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you can\r\nhttps://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html\r\nPage 9 of 10\n\neliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for\r\ninnovation.\r\nTrend Vision One Threat Intelligence \r\nTo stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and\r\nThreat Insights. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to\r\nprepare for emerging threats by offering comprehensive information on threat actors, their malicious activities,\r\nand their techniques. By leveraging this intelligence, customers can take proactive steps to protect their\r\nenvironments, mitigate risks, and effectively respond to threats. \r\nTrend Vision One Intelligence Reports App [IOC Sweeping] \r\nCritical Threat: CrazyHunter Ransomware Leverages BYOVD Against Taiwan's Vital Services\r\nTrend Vision One Threat Insights App \r\nEmerging Threats: Critical Threat: CrazyHunter Ransomware Leverages BYOVD Against Taiwan's Vital\r\nServices\r\nHunting Queries \r\nTrend Vision One Search App \r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.    \r\nBYOVD Attack Using Zemana Anti-Malware (ZAM64) – Registry Modification Detected\r\neventSubId: 402 AND objectRegistryKeyHandle: ZammOcide AND objectRegistryData: zam64.sys\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement\r\nenabledproducts.\r\nIndicators of Compromise (IoC) \r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html\r\nhttps://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html"
	],
	"report_names": [
		"crazyhunter-campaign.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434036,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/931b46eba461610891ce2293b534fc8480b4adb8.pdf",
		"text": "https://archive.orkl.eu/931b46eba461610891ce2293b534fc8480b4adb8.txt",
		"img": "https://archive.orkl.eu/931b46eba461610891ce2293b534fc8480b4adb8.jpg"
	}
}