Huntress Acquires Inside Agent: A New Era for Identity Protection
Portal LoginSupportContact
Search
Portal LoginSupportContact
Search
Get a Demo
Free Trial
HomeThreat Actors
Donut Spider
Threat Actor Profile

Donut Spider

Donut Spider is a financially motivated threat actor active since 2021. Known for Big Game Hunting campaigns, this group developed the HelloXD and D0nut ransomware families. They run a private Ransomware-as-a-Service (RaaS) operation under the D#nut Ransomware Team name, using advanced techniques to target high-value organizations across industries. The group employs the open-source Donut framework to generate shellcode and execute payloads stealthily.

Threat Actor Profile

Donut Spider

Country of Origin

The origins of Donut Spider remain unknown. However, their activity across underground cybercriminal marketplaces suggests a global operational scope.

Members

The group is believed to consist of a small core team, relying on carefully vetted affiliates in their RaaS program. This affiliate model broadens their reach, allowing attacks across multiple regions and industries.

Leadership

The leadership structure of Donut Spider has not been identified. Due to their sophisticated operations and RaaS model, the group is likely led by individuals with advanced technical expertise.

Donut Spider TTPs

Tactics

Donut Spider pursues financial extortion through ransomware attacks targeting large organizations with significant digital assets. Known as Big Game Hunting, this tactic aims to extract large ransoms from victims.

Techniques

  • Custom Tools: Uses the Donut framework to generate shellcode for in-memory payload execution.

  • Ransomware Deployment: Develops and deploys HelloXD and D0nut ransomware families.

  • Double Extortion: Threatens to publish stolen data to coerce victims into paying the ransom.

  • Obfuscation: Generates encrypted and compressed code modules to evade detection.

  • Process Injection: Injects malicious shellcode into legitimate processes to avoid scrutiny.

Reflective Code Loading: Executes payloads directly in memory, bypassing traditional defense mechanisms.

Procedures

  • Gains initial access through phishing campaigns or compromised access credentials.

  • Moves laterally within victim networks to maximize impact before deployment.

  • Encrypts critical systems and data, delivering a disruptive ransom note demanding payment.

Utilizes in-memory payload execution to minimize detection risks.

Want to Shut Down Threats Before They Start?

Schedule a Demo Todayright arrow

Notable Cyberattacks

While specific operations remain classified or unreported, Donut Spider has been observed conducting widespread ransomware attacks using their proprietary HelloXD and D0nut ransomware families.

Law Enforcement & Arrests

There have been no documented arrests connected to Donut Spider. Given their sophisticated RaaS operations, coordinated international enforcement efforts are essential to disrupt their activities.

How to Defend Against Donut Spider

1

Enable multi-factor authentication for all accounts.

2

Perform frequent vulnerability assessments and update systems promptly.

3

Educate employees on phishing awareness to minimize initial access risks.

4

Use advanced endpoint detection and response (EDR) tools to track suspicious activity.

5

Regularly back up important data and develop comprehensive incident response plans.

Huntress solutions provide tailored tools to monitor and mitigate threats, enhance endpoint security, and reduce the likelihood of ransomware infiltrating your environment.

Schedule a Demo

References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free