Threat Actor Profile
High
Cybercriminal
Description
In mid-October 2023, just a few days before the Europol operation, the source code of the Ransomware Hive was sold, along with its website and older versions developed in Golang and C (although this purchase has only been reported by the actors without concrete evidence). The buyer of this new source code was the group Hunters International, who claimed to have fixed the bugs in the Ransomware Hive that were responsible for preventing file decryption in some cases. The group also stated that file encryption would not be their primary focus; instead, they would use data theft as a method to pressure victims during extortion attempts.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (11)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'In mid-October 2023, just a few days before the Europol '
'operation, the source code of the Ransomware Hive was sold, '
'along with its website and older versions developed in Golang '
'and C (although this purchase has only been reported by the '
'actors without concrete evidence). The buyer of this new '
'source code was the group Hunters International, who claimed '
'to have fixed the bugs in the Ransomware Hive that were '
'responsible for preventing file decryption in some cases. The '
'group also stated that file encryption would not be their '
'primary focus; instead, they would use data theft as a method '
'to pressure victims during extortion attempts.',
'firstseen': '2021-09-09T23:46:57.767787+00:00',
'group': 'hunters',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2025-05-27T11:38:50+00:00',
'locations': [{'available': False,
'fqdn': 'hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion',
'slug': 'https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion/',
'title': 'HUNTERS INTERNATIONAL',
'type': 'DLS'},
{'available': False,
'fqdn': 'hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion',
'slug': 'https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/login',
'title': 'HUNTERS INTERNATIONAL',
'type': 'Chat'},
{'available': False,
'fqdn': 'huntersinternational.org',
'slug': 'https://huntersinternational.org/',
'title': 'Attention Required! | Cloudflare',
'type': 'DLS'},
{'available': False,
'fqdn': 'hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion',
'slug': 'http://hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion',
'title': 'HUNTERS INTERNATIONAL',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 3,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion',
'slug': 'https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion/',
'title': 'HUNTERS INTERNATIONAL',
'type': 'DLS'},
{'available': False,
'fqdn': 'hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion',
'slug': 'https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/login',
'title': 'HUNTERS INTERNATIONAL',
'type': 'Chat'},
{'available': False,
'fqdn': 'huntersinternational.org',
'slug': 'https://huntersinternational.org/',
'title': 'Attention Required! | Cloudflare',
'type': 'DLS'},
{'available': False,
'fqdn': 'hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion',
'slug': 'http://hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion',
'title': 'HUNTERS INTERNATIONAL',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 3,
'ransomware_live_group': 'hunters',
'tools': {},
'url': 'https://www.ransomware.live/group/hunters',
'victims': 307,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'The threat actor utilizes the '
'application programming '
'interface to execute '
'malicious behaviors.',
'technique_id': 'T1106',
'technique_name': 'Native API'},
{'technique_details': 'The threat actor executes '
'payloads by loading shared '
'modules.',
'technique_id': 'T1129',
'technique_name': 'Shared Modules'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'The threat actor may set '
'system configurations to '
'automatically execute malware '
'during system startup or '
'login.',
'technique_id': 'T1547',
'technique_name': 'Boot or Logon Autostart '
'Execution'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'The threat actor utilizes '
'obfuscation on files used for '
'their attack, encrypting, '
'encoding, or obfuscating '
'their content.',
'technique_id': 'T1027',
'technique_name': 'Obfuscated Files or Information'},
{'technique_details': 'The actor may maliciously '
'modify victim environment '
'components to hinder or '
'disable defense mechanisms.',
'technique_id': 'T1562',
'technique_name': 'Impair Defenses'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'The threat actor may attempt '
'to gather information about '
'running processes on a '
'system.',
'technique_id': 'T1057',
'technique_name': 'Process Discovery'},
{'technique_details': 'The actor may try to obtain '
'detailed information about '
'the operating system and '
'hardware, including version, '
'patches, hotfixes, and other '
'details.',
'technique_id': 'T1082',
'technique_name': 'System Information Discovery'},
{'technique_details': 'The threat actor may '
'enumerate files and '
'directories or search '
'specific locations on a host '
'or network share for certain '
'information within a file '
'system.',
'technique_id': 'T1083',
'technique_name': 'File and Directory Discovery'}]},
{'tactic_id': 'TA0011',
'tactic_name': 'Command and Control',
'techniques': [{'technique_details': 'The threat actor can '
'communicate using OSI '
'application layer protocols '
'to avoid network '
'detection/filtering, blending '
'in with existing traffic.',
'technique_id': 'T1071',
'technique_name': 'Application Layer Protocol'},
{'technique_details': 'The threat actor can '
'communicate using web traffic '
'associated application layer '
'protocols to avoid detection.',
'technique_id': 'T1071.001',
'technique_name': 'Application Layer Protocol: Web '
'Protocols'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'The threat actor can encrypt '
'data on the target system or '
'on a large number of systems '
'to disrupt system '
'availability.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'}]}],
'url': 'https://www.ransomware.live/group/hunters',
'victims': 307,
'vulnerabilities': []}