Emerging Threats//
CrazyHunter Ransomware
CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.
Threat Overview - Shai-Hulud Worm 2.0
UPDATE 12/08/2025: In October 2025, Gootloader resurfaced with enhanced capabilities, building on the multi-stage loader malware first seen in 2020. These capabilities include methods of initial access incorporating SEO (Search Engine Optimization) poisoning via law related decoys, and modified ZIP archive extraction methods to conceal itself. Additionally, newer persistence techniques and deployment of more unique malicious tooling has been observed by researchers as well.
TITAN References:
- Titan Malware Campaign Report: https://titan.intel471.com/report/fintel/48f86795369858d923a6fa26c9ea4ef9
- Titan Malware Report: https://titan.intel471.com/report/malrep/7a662b69267fefda9f77e90bcd7147c9
- Titan Malware Profile: https://titan.intel471.com/malware/1195d06fcea9e1f026fb5332871556ef
- Titan Malware Campaign Report: Gootloader malware returns with updates: https://titan.intel471.com/report/fintel/0d349e091f9985c1c97a21fb807e653a
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Gootloader Malware Hunt Collection
Related Hunt Packages
Suspicious Scheduled Task Created - Execution Details Contains Scripting Reference
This content is designed to detect when scripting references are found in scheduled tasks. Malware and adversaries use this technique to maintain persistence on a compromised system.
JS and LNK File Written in Short Period in Same Folder - Potential Malware Installation
The identification of both `JavaScript` and `LNK` files being created in the same folder within a brief window is a strong indicator of potential defense evasion, as seen in Gootloader attacks. Threat actors use this method to obscure the execution of malicious scripts, with the `LNK` file acting as a launcher for the `JavaScript` payload, thereby sidestepping direct execution that might otherwise be blocked or scrutinized.
LNK File Created in Startup Folder - Potential Indirect Malware Execution
This package is designed to identify shortcut (.lnk) files that are created in the Window's Start Up folder. This is a technique utilized by malware and attackers to cause their program to execute when a user logs in. A LNK file is utilized to bypass security controls and identification through typical means, such as utilizing an executable or other executable file, where suspicion would be drawn to the executable file. The startup folder path for the current user is C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.
Rundll32 Run Without Arguments
Rundll32 running without any command-line arguments is very anomalous and should be investigated. This can be indicative of malicious activity.
Suspicious Scheduled Task Create/Update - Unusual Task Command and Arguments
Malware often maintains persistence via scheduled tasks. The provided logic identifies the use of rundll32, powershell, cmd or if the command contains common malware locations in AppData\\Roaming or AppData\\Local\\Temp. These two locations are common locations to store malware binaries.
LNK Created in Startup Folder by Script Interpreter - Potential Script Loader Persistence
This Hunt Package is designed to identify the creation of .LNK shortcut files under a user's Startup folder by script interpreters (wscript/cscript/powershell/cmd). In late 2025, several actors and malware operators switched to utilizing JavaScript and other scripting languages to carry out their initial infection, such as loading additional malware and establishing persistence. This was likely done to evade detection mechanisms from executing a binary at the start of the infection chain.
File Created In Startup Folder
This package is designed to detect the activity around a file being created and put in the Windows Startup Folder.
Scheduled Task Executing from Abnormal Location
This hunt package is designed to capture activity associated with a scheduled task which includes abnormal locations in its details for execution. This is often a mark of persistence or malicious tasks created by malware or attackers. details.
WScript Executing File From Zip - Potential Loader Execution
Zip files are often utilized to deliver malicious files, such as JavaScript files. Often sent via email or downloaded via phishing page, these zip files leave traces of execution when the files are not extracted, rather executed straight from the zip file. This package identifies schemas of temporary folder locations utilized by 7zip, Windows Explorer and WinRAR, in which a JavaScript file is executed by the built in Windows script interpreter WScript. JavaScript files are typically utilized to execute the first stage of malicious executions to download and install malware.
Wscript Spawning Suspicious Processes - Potential Script Loaders
This Hunt Package is designed to identify instances where Windows Script Host launches potentially suspicious child processes such as PowerShell, cmd, or other LOLBins. This behavior is consistent with documented Gootloader infection chains, where JavaScript loaders executed via WScript or LNK shortcuts spawn additional processes to facilitate follow-on actions, including system enumeration and payload staging.