hotarus

Hotarus is a ransomware and data extortion group first observed in March 2021, believed to be linked to threat actors of Latin American origin. The group has targeted entities in South America and the United States, including financial institutions, government agencies, and private companies. Hotarus is known for deploying both custom ransomware and publicly available tools, alongside stealing sensitive information for double-extortion purposes. The group has been observed exploiting vulnerable web services, using stolen credentials, and leveraging publicly available post-exploitation frameworks to gain persistence in victim networks. Encrypted files are typically appended with extensions such as .hotarus or campaign-specific identifiers, and ransom notes direct victims to communicate via encrypted email services. Notably, in some campaigns, Hotarus deployed data leak threats without encrypting files, focusing solely on exposure as a pressure tactic.