CrazyHunter
CrazyHunter is an emerging ransomware group and ransomware family first observed in mid-2024. It is described as a Go-based fork of Prince ransomware that primarily targets organizations in Taiwan, with repeated attacks against the healthcare sector, including hospitals. Reporting cited six compromised or targeted organizations in Taiwan. The group commonly gains initial access by exploiting weaknesses in Active Directory environments, including weak domain passwords. It propagates laterally by abusing Group Policy Objects with SharpGPOAbuse, enabling rapid spread across enterprise networks. For privilege escalation and defense evasion, CrazyHunter uses a bring-your-own-vulnerable-driver technique with a modified Zemana anti-malware driver, zam64.sys, to terminate security products. Deployment has been reported to involve ru.bat, AV-killer components such as go.exe and go2.exe, the primary encryptor go3.exe, a Donut loader bb.exe with crazyhunter.sys shellcode, and a backup encryptor crazyhunter.exe. CrazyHunter encrypts Windows systems using ChaCha20 with partial encryption, typically encrypting one byte and skipping the next two, and protects per-file keys and nonces with ECIES. Encrypted files are typically renamed with a .hunter extension. The operators maintain a data leak site and conduct double extortion, threatening to publish stolen data if ransom demands are not paid. Their leak site reportedly includes a “Strategic Manifesto” and references “Premium Criminal Branding Services.” Victim communications have been reported via email, Telegram, and a Tor onion site, with ransom demanded in cryptocurrency. A dual-use tool, file.exe, has also been associated with operations and assessed as supporting extortion through file-server or monitoring/deletion functionality. Aliases directly mentioned in the content: crazyhunter.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
11 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware operation targeting healthcare organizations (notably hospitals) in Taiwan, using weak Active Directory passwords for initial access, SharpGPOAbuse to weaponize GPOs for rapid domain-wide spread, and BYOVD with a modified Zemana driver (zam64.sys) to terminate security tools; conducts double-extortion via a leak site and demands crypto ransoms.
Taiwan-focused ransomware operations using open-source tooling for defense evasion and AD abuse, and a customized Prince ransomware variant (.Hunter extension).
Emerging ransomware group listed as active in Q1 2025 targeting industrial sectors.
Ransomware operation noted for a Taiwan focus; associated with defense evasion tooling and Active Directory/GPO abuse tooling.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.