xHunt
xHunt is a cyber-espionage threat actor first observed in July 2018, known for persistent, multi-year campaigns primarily targeting organizations in Kuwait—especially government, shipping, and transportation. The group uses a custom, evolving toolkit with many components named after characters from the anime “Hunter x Hunter,” and has been reported under the aliases SectorD01, Hive0081, Cobalt Katana, and Hunter Serpens. xHunt’s initial access has included compromise of web-facing infrastructure (notably Microsoft Exchange and IIS) and credential-harvesting operations. A documented operation used a watering-hole on a compromised Kuwaiti government website, injecting a hidden HTML reference (e.g., a visibility:hidden file:// URI to an attacker-controlled SMB share) to trigger Windows authentication and passively capture visitors’ NTLMv2 hashes. Post-compromise, xHunt deploys custom webshells and PowerShell backdoors, including the BumbleBee webshell for direct command execution and PowerShell backdoors such as TriFive and Snugy (described as a CASHY200 variant). Some implants use Exchange Web Services (EWS) for command-and-control by reading/writing commands and results as email drafts in mailbox folders such as Drafts or Deleted Items; TriFive is described as logging into a legitimate user mailbox with stolen credentials and retrieving a PowerShell payload stored as a draft. The actor emphasizes persistence and stealth via scheduled tasks (often with execution-policy bypass), including task masquerading (e.g., tasks named to resemble legitimate Windows components and placed under trusted task paths). Credential theft techniques described include LSASS credential dumping (mimikatz/sekurlsa::logonpasswords) and registry modification to enable WDigest plaintext credential storage (HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest UseLogonCredential=1). Lateral movement and internal access are supported via SSH tunneling (Plink) to reach internal services and interact with webshells. Operational security measures noted include use of VPN infrastructure (e.g., Private Internet Access) and frequent IP switching to hinder attribution and investigation.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
18 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
6 malware families attributed to this actor across reporting.
1 additional family tracked in Mallory.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
xHunt is conducting cyber-espionage campaigns targeting government, shipping, and transportation sectors in Kuwait, using custom malware and advanced techniques to infiltrate critical infrastructure and harvest sensitive intelligence.
Persistent cyber-espionage activity focused on Kuwaiti organizations, including watering-hole credential harvesting (NTLM hash capture), direct compromise of Microsoft Exchange/IIS servers, and long-term access via custom PowerShell backdoors and webshells. Uses mailbox-based C2 via Exchange Web Services (EWS) by reading/writing email drafts, and employs SSH tunneling for lateral movement to internal services.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.