[ /report/488 // public // by @Unknown ]

your weekly threat intelligence advisory

Generated 2026-05-16 · 6 TTPs · 13 IOCs · 1 actors

report_id: #488

// 01Executive summary

The CrazyHunter ransomware group is actively targeting Taiwanese critical sectors, particularly healthcare, leveraging sophisticated techniques for rapid compromise. This Go-based ransomware exploits weak domain credentials and employs Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks using a signed Zemana driver for privilege escalation and security defence evasion. It achieves lateral movement and broad propagation by abusing Group Policy Objects (GPOs) via tools like SharpGPOAbuse. Organizations must immediately strengthen domain credential hygiene, implement robust GPO monitoring, and enhance detection for BYOVD attacks to prevent encryption of network resources and data exfiltration to leak sites. Proactive cyber defences are urgently required to counter this evolving threat, which uses hybrid ChaCha20-ECIES encryption. Immediate focus on these areas is critical to mitigate the threat.

// 02Key metrics

// ttps
6
ATT&CK techniques
// iocs
13
indicators
// actors
1
threat groups
// kwords
10
keywords

// 03MITRE ATT&CK

// 04Threat actors

CrazyHunter ransomware group

// 05Indicators of compromise

// ips0

none

// domains3

  • webhook.site
  • vpn.com
  • next.js

// urls8

  • https://www.trellix.com/blogs/research/the-ghost-in-the-machine-crazyhunters-stealth-tactics/
  • https://www.acronis.com/en/tru/posts/boto-cor-de-rosa-campaign-reveals-astaroth-whatsapp-based-worm-activity-in-brazil/
  • https://www.cyfirma.com/news/weekly-intelligence-report-09-january-2026/
  • https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-Implant
  • https://redpiranha.net/news/threat-intelligence-report-december-30-2025-january-5-2026
  • https://redpiranha.net/news/threat-intelligence-report-january-6-january-12-2026
  • https://cybersecuritynews.com/fake-fortinet-sites/
  • https://www.s-rminform.com/latest-thinking/react2shell-used-as-initial-access-vector-for-weaxor-ransomware-deployment

// sha2560

none

// md50

none

// emails0

none

// cves2

  • CVE-2025-55182
  • CVE-2026-21877

// 06Geographic coverage

// 07YARA rule

// Failed to generate YARA rule

// 08Keywords

{'keyword': 'ransomware', 'score': 8.2999} {'keyword': 'security', 'score': 6.1352} {'keyword': 'threat', 'score': 5.6178} {'keyword': 'malware', 'score': 5.5335} {'keyword': 'credentials', 'score': 5.4866} {'keyword': 'vpn', 'score': 5.0762} {'keyword': 'campaign', 'score': 4.8931} {'keyword': 'encryption', 'score': 4.075} {'keyword': 'cyber', 'score': 3.8104} {'keyword': 'leverages', 'score': 3.7673}

// 09Attack chain

// 10Technical mitigations

// 12Export

// format: // sign in to export ./sign_in