Emerging Threats//
CrazyHunter Ransomware
CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.
Threat Overview - DevMan Ransomware
DevMan Ransomware is a newly emerging ransomware operation observed in 2025 that has been assessed as a derivative of the DragonForce ransomware family, with researchers also tying its evolution to broader ransomware rebrand patterns seen across ecosystems like Conti and Black Basta. The ransomware has shown an aggressive extortion model that is starting to become more common, impacting organizations with both operational disruption through encryption and added pressure through data theft and leak-site publication.
Furthermore, recent analysis highlights DevMan's emergence as part of an increasingly modular ransomware landscape, where operators reuse proven codebases and infrastructure while adjusting naming, branding, and tooling to evade attribution and maintain momentum. This is important to note, because this aligns with the broader trend of ransomware groups shifting identities frequently, while maintaining consistent intrusion behavior and operational playbooks.
TITAN References:
Verity471 Reference:
Info Report: DevMan Attacks Against Healthcare Industry – https://verity.intel471.com/intelligence/infoReportView/report--68eeb2d0-6536-5793-b7fd-7d44e736c465
TITAN Reference:
Info Report: DevMan Attacks Against Healthcare Industry – https://titan.intel471.com/report/inforep/bf66ae54a6110f77587b5c04278a2b9d
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
DevMan Ransomware Hunt Collection
Related Hunt Packages
Single-Character Named Files with Execution Extension - Potential Malware Staging
This Hunt Package identifies single character file names used at point of execution or in command line arguments with optional logic to look for the file creations.
Autorun or ASEP Registry Key Modification
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
Remote Interactive Connections from Unexpected Locations
This hunt package identifies remote interactive connections that originate unexpected locations that are exposed to the internet to more isolated internal locations, potentially indicating that external assets have been compromised and are being used as beachheads for lateral movement. By focusing on remote connection protocols such as SSH, WinRM, RDP, and SMB, this package is designed to detect unauthorized access and exploitation efforts where attackers leverage these protocols to move laterally across the network.
Potential Impacket wmiexec Module Command Execution
Impacket's wmiexec module enables an attacker to remotely upload files to the target system. By default the module utilizes the same structure of command arguments to perform file upload. The logic provided in this package identifies Impacket's known wmiexec command structure, accounting for small alterations in the case an attacker changes the module's command structure.
Network SMB Profiling - Potential Nonstandard SMB Communication Behavior
This hunt package is designed to identify abnormal Simple Message Block (SMB) communications that are attempting to communicate with hosts external to the organization's network. The SMB protocol is used for sharing files, printers, and other resources between computers, but attackers can also use SMB traffic to spread malware, steal data, and carry out other malicious activities. Abnormal SMB communications refer to traffic that deviates from the normal patterns and behaviors of legitimate SMB traffic, such as unusual SMB commands or unexpected connection attempts.
Possible Impacket service created - smbexec.py module
This package is meant to identify when a service is created that contains a service name consistent with the default schema used by Impacket's "smbexec.py" module. Impacket is known as an open source collection of Python modules utilized for constructing and manipulating network protocols. These modules have been observed to be abused for malicious purposes, such as for obtaining credentials and executing commands remotely.
Unusual Secrets Dump Processes - DonPAPI Activity
This hunt package focuses on identifying the execution of DonPAPI, an open-source credential-theft tool used to extract DPAPI-protected secrets, browser credentials, RDP files, Wi-Fi keys, and other sensitive artifacts from Windows systems.