Skip to content
Ransomware group

CrazyHunter

CrazyHunter is a Go-based ransomware family, assessed by Trellix as a fork of Prince ransomware first observed in mid-2024, that targets Windows systems.

Profile source: Mallory opens in a new tab

CrazyHunter

Family profile

CrazyHunter is a Go-based ransomware family, assessed by Trellix as a fork of Prince ransomware first observed in mid-2024, that targets Windows systems. Reporting indicates it has primarily targeted organizations in Taiwan, with at least six known victims, many of them hospitals and healthcare organizations. It uses a data leak site to publicize victim information and threaten publication of stolen data if ransom demands, made in cryptocurrency, are not paid.

Initial access is reported to commonly involve exploitation of weak Active Directory passwords and other AD weaknesses. For propagation, operators abuse Group Policy Objects using SharpGPOAbuse to spread rapidly across enterprise networks. For defense evasion and privilege escalation, CrazyHunter uses a bring-your-own-vulnerable-driver technique with a modified Zemana anti-malware driver, zam64.sys, to terminate legitimate security processes.

The malware uses ChaCha20 for file encryption and ECIES to protect per-file keys and nonces. It implements partial encryption using a 1:2 pattern, encrypting one byte and skipping the next two, to accelerate impact and potentially reduce detection based on sustained disk I/O. Encrypted files are typically appended with the .hunter extension. Reported operational components include ru.bat for orchestration, go.exe and go2.exe as AV-killer components, go3.exe as the primary encryptor, bb.exe as a Donut loader, crazyhunter.sys shellcode, crazyhunter.exe as a backup encryptor, and file.exe, which has been described as supporting extortion operations by acting as a file server or monitoring/deletion tool.

Known communications and infrastructure mentioned in reporting include attack-tw1337@proton.me, Telegram @Magic13377, and the Tor onion address 7i6sfmfvmqfaabjksckwrttu3nsbopl3xev2vbxbkghsivs5lqp4yeqd.onion. A wallpaper-change routine was also reported to download an image from ncmep.org. Some reporting notes Taiwanese authorities later linked the attacks to a Chinese security firm or described the actors as a Chinese hacker group, but attribution details are limited in the provided content.

Ransomware.live

Operational record

View group record ↗

Defense Evasion

  • Zemana Anti-Rootkit driver
  • av-1m.exe (AV bypass)
  • go.exe / go2.exe (BYOVD loader)

Offsec

  • Donut
  • Prince Ransomware
  • SharpGPOAbuse
  • bb.exe (shellcode loader)

Ransomware.live

Published indicators

Full source record ↗

Telegram

2 total
  • https://t.me/CrazyHuntersTeam
  • https://t.me/Magic13377

Tox

1 total
  • E8481B6E149862EEEA79668EBBC50B96A6B6529C5DDD905491E2F838EF7D174FB73DB97F1FFD

Reported operators

Threat actors

1 named in public reporting
CrazyHunter

CrazyHunter, a Go-developed ransomware, employs advanced encryption and delivery methods targeted against Windows-based machines. It uses a data leak site to publicize victim information.

Reporting

Research mentioning CrazyHunter

Jan 15
The Hacker News

ThreatsDay Bulletin: AI Voice Cloning Exploit, Wi-Fi Kill Switch, PLC Vulns, and 14 More Stories

A ransomware strain dubbed CrazyHunter has compromised at least six companies in Taiwan, most of them being hospitals. A Go-based ransomware and a fork of the Prince ransomware...

Jan 12
Data Breaches

CrazyHunter ransomware escalates with advanced intrusion tactics, six Taiwan healthcare victims confirmed

"CrazyHunter, a Go-developed ransomware, employs advanced encryption and delivery methods targeted against Windows-based machines. It uses a data leak site to publicize victim information,"

Jan 11
Risky Biz Rss

Risky Bulletin: Apex Legends streamers hacked again

CrazyHunter ransomware: Trellix has published a technical analysis of CrazyHunter, a ransomware strain that was used in attacks against Taiwanese organizations last year. Taiwanese officials later linked the attacks to a Chinese security firm.

Jan 8
Security Online Info

CrazyHunter: The "Ruthless" Ransomware Stalking Healthcare

Security researchers at Trellix have released an in-depth analysis of CrazyHunter, a sophisticated threat that combines “network compromise techniques” with advanced anti-malware evasion to devastate its victims.

Jan 7
Cyber Security News

CrazyHunter Ransomware Attacking Healthcare Sector with Advanced Evasion Techniques

CrazyHunter ransomware has emerged as a critical and evolving threat that specifically targets healthcare organizations and sensitive medical infrastructure. This Go-developed malware represents a significant escalation in ransomware sophistication, employing advanced encryption methods and delivery mechanisms designed to bypass modern security defenses.

Dec 31
Cyberthrone

New Ransomware Emerged in 2025 – Threat Intel Report

RansomHub, Arkana, CrazyHunter, and NightSpire established operations using reused codebases and recycled infrastructure.

Aug 13
Medium S2wblog

Ransomware Landscape in H1 2025: Statistics and Key Issues | by S2W | S2W BLOG | Medium

Additionally, in the first half of 2025, a new ransomware group called CrazyHunter emerged, targeting major industries and companies in Taiwan with active attack activities.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.