Emerging Threats//
CrazyHunter Ransomware
CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.
Threat Overview - Handala Threat Group
The Handala threat group has recently emerged as a disruptive Iranian-aligned cyber operation that has conducted destructive and espionage-oriented campaigns against organizations across multiple regions. Recent reporting highlights activity targeting entities in Israel and Western countries, including a high-profile attack against a medtech company, where systems were reportedly disrupted as part of a destructive cyber campaign. The threat group has also been linked to operations impacting institutions such as schools and infrastructure targets, demonstrating an evolution from traditional hacktivist messaging into more operationally damaging attacks. Over the past several months, Handala has been observed demonstrating an increased ability to coordinate attacks that combine data theft, destructive malware, and public messaging campaigns, allowing them to cause disruption while amplifying political narratives tied to regional tensions.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Handala Threat Group Hunt Collection
Related Hunt Packages
File Writes with Single Character File Names and Execution Extension - Potential Malware Staging
This Hunt Package identifies single character file names used at point of execution or in command line arguments with optional logic to look for the file creations.
WMIC Windows Internal Discovery and Enumeration
This will identify the potentially malicious use of WMI (Windows Management Interface) utilized for local enumeration and discovery of a host.
Timeout Delayed Execution
This Threat Hunt package identifies the use of delayed execution tactics involving timeout.exe to introduce pauses between command executions. This technique is commonly used by threat actors to evade detection mechanisms, delay payload execution, or coordinate multi-stage attacks. By leveraging legitimate system tools to create timed delays, malicious activity can blend in with normal operations, making it harder to detect using traditional signature-based approaches. This hunt focuses on uncovering patterns of timed delays that may indicate stealthy or staged execution behaviors associated with post-exploitation activity or automated threat actor workflows.
MSI File Installation from Suspicious Location
This use case is meant to detect msiexec.exe installing MSI files from directories outside standard/trusted installation paths, which may indicate malicious software installation.
Potential Use of Findstr or Find with Tasklist
This Threat Hunt package identifies instances where adversaries may be using the native Windows tasklist command in combination with the findstr utility to locate security-related processes. Adversaries and malware often use this method to search for and target processes associated with security products and other interesting services. By identifying these processes, attackers can attempt to manipulate or disable security mechanisms, gather sensitive information, or facilitate more effective ways to execute based on what processes are discovered.
Suspicious bcdedit Activity - Potential Ransomware
BCDEdit is a command-line tool for managing Boot Configuration Data (BCD). Ransomware is known to utilize bcdedit to modify the boot configuration to prevent recovery. The intent of this package is to identify when bcdedit is being utilized with several common malicious commands, such as delete and safeboot.
Ping Count Activity
This Threat Hunt package is designed to identify when ping.exe utilizes the count argument reducing the number of ICMP packets being sent over the network to the intended destination.
Microsoft Defender Antivirus Disabled via Registry Key Manipulation
This content is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key or by modifying how Microsoft Defender will respond to threats based by changing the configuration through registry keys.
Shadow Copies Deletion Using Operating Systems Utilities
Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
Logical Disk Enumeration - WMIC
This package is meant to identify activity around enumerating for logical drives on a system utilizing WMIC, a behavior observed in relation to the Brute Ratel tool.