PCHunter
PCHunter is a post-compromise utility observed in multiple ransomware and intrusion contexts as part of attacker toolsets used to disable or tamper with security protections. The provided reporting places it alongside tools such as HRSword, GMER, YDark, WKTools, DumpGuard, StpProcessMonitor BYOVD, and PowerTool, with several of these utilities abusing vulnerable kernel drivers to terminate endpoint protection processes. Symantec reported Trigona ransomware affiliates using PCHunter before deploying a custom exfiltration tool, in conjunction with AnyDesk for remote access, PowerRun for elevated execution, and Mimikatz and Nirsoft utilities for credential theft. Mandiant also observed UNC2447 using PCHUNTER during recon and exfiltration activity alongside ADFIND, BLOODHOUND, MIMIKATZ, RCLONE, ROUTERSCAN, S3BROWSER, ZAP, and 7ZIP. Separately, CTU researchers observed PCHunter deployed in Qilin-related intrusions after RDP-based initial access and lateral movement, possibly to disable antivirus software, with associated activity including memory dumping and shadow copy deletion prior to ransomware deployment. High-confidence context from the content indicates PCHunter is used on Windows systems as a defense-evasion or security-disabling tool in ransomware and financially motivated intrusion operations, including activity linked to Trigona, UNC2447, and Qilin/GOLD FEATHER.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
CTU researchers have observed remote desktop protocol (RDP) abused for initial access and lateral movement before the post-compromise PCHunter and PowerTool tools were deployed, possibly with the intention of disabling antivirus software.
...UNC2447 has been observed using the following tools: ... PCHUNTER ...
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Privilege Escalation
1 techniqueA toolkit including PCHunter, Gmer, YDark, WKTools, DumpGuard and StpProcessMonitorByovd was used in the security killing process, which included bring your own vulnerable driver (BYOVD) techniques.
Stealth
1 techniqueBefore deploying the custom uploader, attackers disable security tools using multiple utilities, including HRSword, PCHunter, and GMER, often abusing vulnerable kernel drivers to kill protections.
Other
2 techniquesRecent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A utility used in the attacks to help disable security protections, including via abuse of vulnerable kernel drivers.
A tool used alongside other kernel-level utilities to terminate endpoint protection processes and bypass defenses during the attack chain.
Post-compromise tool observed in Qilin intrusions, likely used to disable or interfere with antivirus/defensive controls prior to ransomware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.