crazyhunter team

CrazyHunter is a rising ransomware threat first detected in early 2025, with particularly dangerous campaigns targeting Taiwanese critical infrastructure sectors such as healthcare, education, manufacturing, and industrial services. Technically sophisticated, its toolkit is composed of approximately 80% open-source tools, including the Prince Ransomware Builder (for encryption), ZammoCide (for defense evasion via BYOVD techniques), and SharpGPOAbuse (enabling lateral movement via Group Policy). In a notable incident like the February attack on Mackay Memorial Hospital, attackers employed a USB-based infection vector, then escalated privileges using vulnerable signed drivers (e.g., zam64.sys) to disable security defenses. The ransomware appends extensions like .Hunted3 and displays “Decryption Instructions.txt” as ransom notes. The group maintains a data leak site where it publicly claims multiple Taiwanese organizations as victims.