CrazyHunter Hackers Leverage GitHub Open-Source Tools to Launch Attacks on Organizations

The cybercriminal group known as CrazyHunter has rapidly escalated as a formidable ransomware threat, focusing predominantly on organizations in Taiwan’s healthcare, education, and industrial sectors.

Detailed analysis reveals that the group’s evolving tactics hinge critically on the abuse of open-source tools sourced from the public repository GitHub, combined with advanced methods like Bring Your Own Vulnerable Driver (BYOVD) attacks, increasing both the scale and sophistication of their campaigns.

Group Expands Arsenal with BYOVD and Ransomware Builders

CrazyHunter’s modus operandi includes the deliberate integration of open-source utilities, with approximately 80% of its toolkit built from freely available codebases such as the Prince Ransomware Builder and ZammoCide.

This approach significantly reduces the technical barrier for creating tailored, potent ransomware attacks, enabling rapid adaptation and enhancement of their operations.

The group was first detected at the start of the year, debuting a leak site listing initial victims all based in Taiwan which underscored a strategic, regionally targeted campaign.

A cornerstone of CrazyHunter’s escalation is the use of BYOVD specifically, exploiting the vulnerable driver zam64.sys from the Zemana Anti-Malware suite.

This driver is weaponized using variants of ZammoCide, enabling the group to terminate security processes, particularly those related to advanced endpoint detection and response (EDR) systems.

By disabling these protections, the attackers pave the way for successful ransomware deployment with minimal resistance.

Privilege escalation and lateral movement within compromised networks are achieved using SharpGPOAbuse, another open-source tool.

With adequate permissions, this tool manipulates Group Policy Objects (GPOs), allowing the attackers to spread payloads and expand their foothold across victim environments.

Focus Remains on Taiwanese Critical Sectors

Core to their impact operations is a customized version of Prince ransomware, developed in Go and utilizing robust encryption algorithms ChaCha20 and ECIES or file locking.

According to the Report, this ransomware leaves a distinct signature by appending a “.Hunter” extension to encrypted files and demanding payment via detailed ransom notes.

Notably, the ransom instructions and communication channels are tailored for Taiwanese victims, as indicated by the domain and email conventions found in extorted messages.

The group employs batch scripts to orchestrate multi-stage attacks, methodically executing tools to disable defenses, followed by sequential deployment of ransomware binaries.

Should primary anti-AV countermeasures fail, redundant payload delivery methods ensure sustained attack continuity.

CrazyHunter also leverages supporting Go-based programs for persistence and potential data exfiltration.

Their “file.exe” utility enables real-time monitoring and file serving on targeted hosts, further showcasing their adaptive and multi-pronged approach.

The explicit focus on Taiwanese institutions, particularly small and medium-sized enterprises, is evident through both victimology and digital forensic evidence.

The group’s leak site and custom ransom communications reinforce this regional targeting intent.

Security vendors such as Trend Micro have responded by updating detection capabilities, blocking malicious components, and supplying threat insights to counter the evolving tactics.

Experts urge organizations to adopt robust countermeasures limiting privileges, enforcing multi-factor authentication, patching systems promptly, and employing endpoint protection specifically attuned to BYOVD exploits.

Regular driver audits and staff awareness training are also recommended to mitigate exposure to this rapidly growing threat vector.

The CrazyHunter campaign is a stark reminder of the risks posed by the dual-use nature of open-source technologies.

Its persistent, targeted targeting of critical national infrastructure underscores the imperative for organizations to fortify their defenses against increasingly resourceful and opportunistic adversaries.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates