A sophisticated ransomware group known as CrazyHunter has emerged as a significant threat to organizations, particularly those in Taiwan’s critical infrastructure sectors.
This newly identified threat actor has been conducting targeted attacks against healthcare facilities, educational institutions, and industrial organizations since early 2025, showcasing a concerning level of operational sophistication.
The campaign leverages readily available open-source tools from GitHub, significantly lowering the barrier to entry for conducting complex ransomware operations.
.png
)
CrazyHunter’s attack methodology reveals a strategic approach to compromising victim networks. The group employs the Bring Your Own Vulnerable Driver (BYOVD) technique, which allows them to bypass security measures by exploiting legitimate but vulnerable drivers already present in systems.
This enables them to terminate security processes and deploy their ransomware payload with minimal detection.
Most concerning is their focus on essential services in Taiwan, potentially disrupting critical operations in healthcare and education sectors.
Trend Micro researchers identified that approximately 80% of CrazyHunter’s toolkit consists of openly available GitHub resources that have been modified to enhance their capabilities.
The analysts discovered that these tools are being used in a well-orchestrated attack chain designed specifically to target Taiwanese organizations, as evidenced by victim data and the inclusion of “tw” in their contact email address (payment[.]attacktw1337@proton[.]me).
The group’s infrastructure reveals a methodical approach to cyberattacks. After gaining initial access, they deploy multiple tools to disable security mechanisms, establish persistence, and move laterally through networks.
Once they’ve gained sufficient control, they deploy their ransomware, encrypting files with the “.Hunter” extension and leaving a ransom note titled “Decryption Instructions.txt” while also changing the victim’s desktop wallpaper to display ransom demands.
One of the most notable aspects of CrazyHunter’s operation is their execution methodology, which employs redundant measures to ensure ransomware deployment even if primary methods fail. This demonstrates an evolving sophistication rarely seen in newer ransomware groups.
Execution Mechanism Analysis
The heart of CrazyHunter’s attack lies in their execution script, a batch file that orchestrates the deployment of multiple components in sequence.
.webp)
The script begins by launching processes that exploit the vulnerable Zemana Anti-Malware driver (zam64.sys) to disable security products:-
@echo off
start C:\Users\Public\go2.exe
timeout /t 10 /nobreak > nul
start C:\Users\Public\go.exe
timeout /t 10 /nobreak > nul
start C:\Users\Public\go3.exe.webp)
The script includes error-handling mechanisms that check whether each component executed successfully, launching alternative payloads if needed.
For instance, if go.exe fails to execute, the script launches av-1m.exe to perform similar functions. This ensures that even if some components are blocked, the attack continues through alternative paths.
After disabling security measures, the script proceeds to load the ransomware driver using bb.exe, then launches the encryption process.
The ransomware itself is based on the open-source Prince ransomware builder, modified to add the “.Hunter” extension to encrypted files.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
