xHunt is a malware framework created by the SectorD01 advanced persistent threat for use in their campaigns throughout Europe, East and South Asia, and the United States. Originally called Sakabota, it is believed to have been split into several modules in order for SectorD01 to properly compartmentalise their tools.
xHunt initial payloads are delivered via sophisticated spear-phishing campaigns or supply chain compromises. SectorD01 will perform extensive reconnaissance and data collection on potential targets, which include shipping, telecommunications, and governmental organisations.
Whoever is responsible for the xHunt operation appears to be very highly-skilled since their tools very advanced.
As it is a modular framework, xHunt campaigns can be tailored for specific targets, with modules able to be installed and removed as needed. At the time of publication, the following modules have been identified:
- Sakabota – Primary xHunt module. Able to deliver subsequent modules as well as the Mimikatz credential harvesting tool sign with PsExec and WMIC. It will also initiate a connection with the primary command and control (C2) server.
- Hisoka – Modular backdoor that uses both HTTP and DNS for C2 communications.
- Killua – Believed to be a newer version of Hisoka with no added functionality.
- Netero – Embedded tool used by Hisoka for C2 communications using Exchange Web Server. Netero will then pass emails containing instructions for Hisoka to take.
- Diezen – Backdoor with similarities to Hisoka. Uses a proprietary non-HTTP protocol over 443 to connect to a C2 server. Appears to have been superseded by Hisoka and Gon in later campaigns.
- Gon – Lightweight post-exploitation remote access trojan focused on port scanning, password brute-forcing, and creating RDP sessions.
- EYE – Monitors SectorD01 RDP sessions on affected systems. It will then attempt to close all processes and remove all files associated with xHunt when the sessions are ended.
- Microsoft Windows – All versions