Threat Actor Profile
Hunters International
Hunters International, also referred to as "World Leaks" following their rebranding, is a ransomware group first observed in October 2023. This group initially operated as a Ransomware-as-a-Service (RaaS) entity before transitioning to an extortion-only model. Known for leveraging techniques such as phishing, social engineering, and data theft, they have targeted industries worldwide, exploiting vulnerabilities and threatening data leaks for financial gain.
Threat Actor Profile
Hunters International
Country of Origin
Hunters International is believed to have Russian origins, given the group’s use of Russian language and operations that align with other Russian-speaking threat actors.
Members
The exact composition and size of Hunters International’s affiliates remain unclear. The group operates through a RaaS model, meaning it recruits external affiliates to carry out attacks. This decentralized approach makes it difficult to determine the full range of their membership.
Leadership
There is no publicly available information about the individual leaders of Hunters International. However, they are widely thought to have acquired and adapted Hive ransomware code, which suggests some overlap in technical leadership or shared resources between the groups.
Hunters International TTPs
Tactics
The group primarily pursues financial gains through extortion, targeting a range of industries to maximize revenue. Their approach shifted from ransomware encryption and double-extortion tactics to a focus on data theft and leak threats under the "World Leaks" brand.
Techniques
They utilize phishing and social engineering to gain initial access to systems, occasionally exploiting vulnerabilities in public-facing infrastructure, such as VPNs or RDP servers. Custom tools like the SharpRhino RAT are deployed for persistence and data collection.
Procedures
Hunters International employs a variety of strategies, such as disguising malware in NSIS installers to look like legitimate tools (e.g., AngryIP scanner) and exfiltrating data via solutions like Rclone prior to public threats of leaks.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
One significant operation involved the exploitation of Fortinet vulnerabilities to gain system access. Under the World Leaks brand, numerous exfiltrated data sets from global corporations were published, further highlighting their pivot to extortion rather than encryption.
Law Enforcement & Arrests
Following an announcement in July 2025, Hunters International claimed to shut down operations and provided free decryption tools to victims. However, evidence suggests the group is still active under the new alias “World Leaks,” continuing extortion-based tactics globally.
How to Defend Against Hunters International
Patch known vulnerabilities, especially in public-facing systems (e.g., CVE-2024-55591 in FortiOS/FortiProxy).
Monitor network activity for tools like Rclone or abnormal use of file transfer utilities.
Watch for the SharpRhino RAT or related signatures masquerading as legitimate software.
Implement robust data backups and test recovery processes regularly.
Huntress services offer proactive detection and response strategies, helping identify risks early and mitigating potential exploitation by threat actors like Hunters International.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
