The Ghost in the Machine: Unmasking CrazyHunter's Stealth Tactics

By Aswath A · January 6, 2026

CrazyHunter ransomware has emerged as a significant and concerning threat, highlighting the increasing sophistication of cybercriminal tactics. Trellix has been actively tracking this ransomware since its initial appearance, noting its rapid development and growing prevalence. The ransomware executable is a fork of the Prince ransomware, which surfaced in mid-2024. It has introduced notable advancements, particularly in network compromise techniques and anti-malware evasion.

This blog provides an in-depth analysis of CrazyHunter ransomware and its attack flow.

Overview 

CrazyHunter, a Go-developed ransomware, employs advanced encryption and delivery methods targeted against Windows-based machines. It uses a data leak site to publicize victim information. 

CrazyHunter ransomware has primarily affected Taiwan, comprising six targeted companies.

According to available information, the primary industry targeted by CrazyHunter ransomware is the healthcare sector, with repeated attacks on hospitals in Taiwan. This preference is likely due to the critical nature of healthcare services, where vast amounts of sensitive patient data are held by these organizations and downtime can have severe consequences.  

Victimology

The primary targets of the CrazyHunter ransomware have been companies in Taiwan, with six organizations known to be compromised. The attackers maintain a data leak site where they publicize information about their victims, particularly those who do not cooperate. 

Attack lifecycle: A step-by-step descent into chaos

CrazyHunter's attack methodology is ruthlessly efficient, demonstrating a deep understanding of enterprise network vulnerabilities. The typical attack progresses through the following stages:

1. Initial compromise: Exploiting the weakest link
   The initial compromise often involves exploiting weaknesses in an organization's Active Directory (AD) infrastructure, frequently by leveraging weak passwords on domain accounts.
2. Lateral movement and propagation: Rapid network domination
   Once initial access is gained, attackers employ techniques for lateral movement and propagation. A key method observed in CrazyHunter attacks is the use of SharpGPOAbuse to distribute the ransomware payload through Group Policy Objects (GPOs). This allows the malware to spread rapidly across the network to multiple systems. Attackers also leverage compromised AD credentials to facilitate this propagation.
3. Privilege escalation: Bypassing security defenses
   To establish control and dismantle security defenses, CrazyHunter leverages advanced privilege escalation tactics. A standout method is the bring-your-own-vulnerable-driver (BYOVD) approach. By weaponizing a modified Zemana anti-malware driver (zam64.sys), the attackers elevate their privileges, effectively bypassing security controls that would otherwise prevent them from succeeding.
4. Encryption and ransom: Data hostage and financial extortion
   The culmination of these stages is the encryption process, where files across the targeted network are encrypted, rendering them inaccessible. Following encryption, a ransom demand is issued, requiring payment for the decryption keys.

Technical analysis

Initial access

A concerning trend in modern cyberattacks involves multistage operations where initial actions are strategically designed to weaken or eliminate security measures before the primary malicious payload is executed. Examining a specific attack flow, as depicted in a particular batch script, reveals a deliberate and sophisticated approach to compromising systems. This analysis will dissect the script's actions, the underlying technical mechanisms employed to disable anti-malware software, and the context surrounding the final deployment of the CrazyHunter ransomware.

Decoding the attack tree

Let's break down the CrazyHunter ransomware process tree shown in Figure 6.

1. Ignition point: ru.bat script execution
   This batch script acts as the orchestrator for the CrazyHunter ransomware deployment and chain-launches all of the ransomware components.
2. Silent takedown: Disabling security first
   Almost immediately, the ru.bat script launches go2.exe, which is quickly followed by go.exe. These are the initial "AV Killers," designed to neutralize security software before the main payload runs. Notice the timeout.exe processes; these are deliberate pauses, likely used to evade detection or allow previous steps time to work.
3. Executing the ransomware: go3.exe
   Next up is go3.exe, identified as the primary CrazyHunter ransomware executable. This is the core component responsible for the destructive file encryption routine.
4. Conditional anti-virus evasion
   If go.exe fails to run, the script tries to deploy av-1m.exe, suggesting an attempt to disable or hinder anti-malware software. Av-1m.exe is not available in the public domain and may be a future development component included. The attacker may be attempting to weaken the system's defenses if an earlier stage component (go.exe) fails to maintain its presence. Av-1m.exe also serves as a fallback mechanism to ensure the AV software is terminated properly.
5. Memory morph: The donut loader (bb.exe)
   The script launches bb.exe, a "Donut Loader." This isn't the encryptor itself, but a tool designed to load shellcode directly into memory. This "fileless" technique helps evade detection that relies on scanning malicious files on disk.
6. Plan B: The backup encryptor
   CrazyHunter.exe is the backup ransomware executable. It's a fail-safe if the primary payload (go3.exe) or the shellcode injection via bb.exe fails, this ensures the encryption still has a chance to succeed.

Tooling: SharpGPOAbuse

SharpGPOAbuse is a publicly available .NET application written in C# designed to exploit Group Policy Objects' (GPOs) inherent management capabilities within an Active Directory environment. It allows attackers to manipulate GPOs to achieve various malicious objectives, such as deploying malware, creating rogue user accounts, or modifying security settings. 

The CrazyHunter team used the tool to deploy ransomware and malware payloads via Group Policy Objects, enabling them to distribute the malware to a large number of computers across the victim's network.

Defense evasion

AV killer - Go.exe and go2.exe

The core of the anti-malware disablement mechanism lies in the functionality of go.exe and go2.exe. These executables exploit a vulnerable driver, zam64.sys, to achieve their objective. 

The process involves two key steps: 

1. Registering the driver.
2. Enumerating and terminating processes associated with antivirus software. 

This technique falls under Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks, where attackers exploit a legitimate but vulnerable driver, zam64.sys version 2.18.371.0, signed by trusted vendors like Zemana, to perform malicious actions.

The initial step performed by go.exe and go2.exe is to load and register the calling process with the zam64.sys driver using the IOCTL code 0x80002010. 

After driver registration, the AV killers enumerate the running processes on the system. They then compare these processes against a predefined list of known anti-malware products. This hardcoded list suggests the attackers have specific security solutions in mind as targets, indicating prior reconnaissance or a focus on commonly deployed security software. 

If a running process matches an entry in the hardcoded list of target processes, the AV killer initiates its termination. This is achieved by sending another IOCTL code, 0x80002048, to the zam64.sys driver.

The successful execution of this IOCTL directly leads to the termination of anti-malware processes, effectively disabling the system's primary defense mechanism against malware.

Unmasking crazyHunter ransomware: A look inside the encryptor

The CrazyHunter ransomware core functionality is outlined below.

1. Drive enumeration: The program begins by identifying all available drives on the system using the getDrives() function. This function iterates through the alphabet (A-Z) and checks if a drive exists for each letter.
2. Directory encryption: For each identified drive, the program calls the EncryptDirectory function from the filewalker package. This suggests the filewalker package contains the logic to recursively traverse directories and encrypt files within them.
3. Wallpaper setting: After attempting to encrypt all drives, the program executes the setWallpaper() function. This function is designed to change the victim's desktop wallpaper.

Drive enumeration: main_getDrives() function

This function iterates through the letters 'A' to 'Z' and for each letter, it attempts to open the root directory of the corresponding drive. If the drive exists, its drive letter is added to the list of available drives. The function then returns the list of all detected drives.

Defining the scope: Exclusion criteria

After looping through all directories for each drive letter, the directory exclusion check will occur, excluding extensions shown in Table 3.

The following file names in Table 4 are also excluded from file encryption.

The following directory names in Table 5 are also excluded from file encryption.

Delving into the cryptographic core:

At its core, CrazyHunter ransomware employs a hybrid encryption strategy that combines symmetric and asymmetric algorithms to effectively secure files. This dual-layered approach is inherited from its foundation, the "Prince Ransomware" builder —an open-source tool written in Go.

ChaCha20: The workhorse for data encryption

For the primary task of encrypting file content, CrazyHunter utilizes the ChaCha20 stream cipher. A distinctive feature of this ransomware is its partial encryption. Instead of encrypting the entire file, it encrypts one byte of data and then skips the next two, leaving them in their original, unencrypted state. This 1:2 encryption ratio is a deliberate design choice from the underlying Prince builder. The likely rationale for this technique is to significantly increase the speed of the encryption process, allowing the ransomware to compromise a larger number of files in less time and potentially evade security solutions that monitor for heavy, sustained disk I/O operations.

ECIES: Safeguarding the encryption keys

While ChaCha20 encrypts the data, the security of the entire operation depends on protecting the unique key and nonce generated for each file. To achieve this, CrazyHunter employs the Elliptic Curve Integrated Encryption Scheme (ECIES). ECIES is an efficient and secure asymmetric encryption method that provides robust security with shorter key lengths than other algorithms, such as RSA. This method ensures that decryption is impossible without the corresponding ECIES private key, which remains exclusively in the attacker's possession. Encrypted files are typically renamed with a .Hunter extension.

Encrypted file

The encrypted files with the .hunter extension are structured as,

[ECIES-encrypted ChaCha20 Key] || [ECIES-encrypted Nonce] || [Partially ChaCha20-encrypted File Content]

Setting the wallpaper

Executes a PowerShell script to download a file from a remote URL: hxxps[://]ncmep[.]org/files/2023/05/ransomeware-01-1280x640[.]png. This downloaded file is saved in the \temp directory as "Wallpaper.png". Another PowerShell command is executed to set it as wallpaper.

Donut loader and shellcode

CrazyHunter.sys is an encrypted shellcode made with the donut framework, and the bb.exe file is a loader. The script executes bb.exe with the -f flag followed by the path to crazyhunter.sys. This command instructs bb.exe to decrypt the shellcode and execute it in memory without writing it to disk.

We manually decoded the shellcode using the open-source tool "donut-decryptor" on GitHub and discovered that it was the same go.exe payload.

Ransom negotiation and payment methods: Extortion process

Communication during ransom negotiation for CrazyHunter ransomware occurs through various channels. One identified method is via email, with the address attack-tw1337@proton.me being associated with CrazyHunter Ransomware.

Additionally, a Telegram channel (Telegram@Magic13377) and a TOR address (http://7i6sfmfvmqfaabjksckwrttu3nsbopl3xev2vbxbkghsivs5lqp4yeqd.onion) are also linked to the CrazyHunter Team. These platforms likely serve as avenues for communicating with victims and, potentially, for hosting leak sites or negotiation portals. Most of the contact details are mentioned in the ransom note.

File.exe: Data exfiltration tooling

The file.exe executable, a component of the CrazyHunter ransomware attack, accepts several command-line arguments that provide insights into its functionalities. These arguments include: -d, -e, -f, -func, -port, -t, and -white. The -func parameter is particularly significant as it dictates the primary mode of operation for the executable. 

Analysis revealed that the file.exe artifact possesses dual functionality: it can transform a compromised machine into a file server or act as a file-monitoring and deletion tool. When operating as a file server, it exposes the designated directory (defaulting to the current) via localhost on a specified port (default: 9999). In monitoring mode, it systematically scans and deletes files matching predefined extensions within the directory and its sub-directories

Based on our research, we predict that file.exe is used in the extortion process to control and monitor the victim’s machine.

Fortifying your defenses: A CISO's guide to neutralizing CrazyHunter ransomware

Secure Active Directory (AD): Enforce MFA for all domain accounts and strictly control GPO modification rights to prevent credential theft and payload distribution via SharpGPOAbuse.

Neutralize Evasion Tactics: Utilize Trellix Endpoint Detection capabilities to counter AV killers and ransomware payloads, and block the execution of BYOVD attacks that exploit vulnerable drivers for privilege escalation and security termination.

Ensure Robust Recovery: Implement a proper backup strategy (offsite/offline) to ensure backups are immutable and inaccessible to the ransomware, and regularly test the incident response plan for effective post-attack recovery.

Restrict Lateral Movement: Use network segmentation and strict access controls to limit the ransomware's rapid propagation capability across the network, particularly by preventing widespread deployment through compromised AD credentials and GPOs.

Trellix protection and mitigation

Trellix has implemented comprehensive protection and mitigation measures against the CrazyHunter ransomware. Our security solutions now include coverage for all known CrazyHunter-related executables, ensuring robust defense against this threat. This proactive approach aims to safeguard our customers by preventing infection and minimizing potential damage.

Appendix A - Indicators of compromise

Appendix B - Trellix detection signatures

Appendix C - MITRE ATT&CK

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/