The Ghost in the Machine: Unmasking CrazyHunter's Stealth Tactics

    Thursday, January 8, 2026 In: Threat Research Print

    Date: 01/08/2026

    Severity: High

    Summary

    CrazyHunter ransomware has rapidly emerged as a serious and evolving threat, underscoring the growing sophistication of modern cybercriminal operations. We have been actively monitoring this ransomware since its first appearance and have observed its swift development and increasing adoption. The CrazyHunter executable is derived from the Prince ransomware, which appeared in mid-2024, but introduces significant enhancements particularly in network intrusion methods and anti-malware evasion capabilities. This blog presents a detailed analysis of the CrazyHunter ransomware and its end-to-end attack flow. 

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    7i6sfmfvmqfaabjksckwrttu3nsbopl3xev2vbxbkghsivs5lqp4yeqd.onion

    Email Address :

    attack-tw1337@proton.me

    Hash : 

    f72c03d37db77e8c6959b293ce81d009bf1c85f7d3bdaa4f873d3241833c146b

    754d5c0c494099b72c050e745dde45ee4f6195c1f559a0f3a0fddba353004db6

    983f5346756d61fec35df3e6e773ff43973eb96aabaa8094dcbfb5ca17821c81

    512f785d3c2a787b30fa760a153723d02090c0812d01bb519b670ecfc9780d93

    2cc975fdb21f6dd20775aa52c7b3db6866c50761e22338b08ffc7f7748b2acaa

    d1081c77f37d080b4e8ecf6325d79e6666572d8ac96598fe65f9630dda6ec1ec

    5316060745271723c9934047155dae95a3920cb6343ca08c93531e1c235861ba

    Telegram channel :

    Telegram@Magic13377

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "7i6sfmfvmqfaabjksckwrttu3nsbopl3xev2vbxbkghsivs5lqp4yeqd.onion" or url like "7i6sfmfvmqfaabjksckwrttu3nsbopl3xev2vbxbkghsivs5lqp4yeqd.onion" or siteurl like "7i6sfmfvmqfaabjksckwrttu3nsbopl3xev2vbxbkghsivs5lqp4yeqd.onion"

    Detection Query 2 :

    sender IN ("attack-tw1337@proton.me") or receiver IN ("attack-tw1337@proton.me") or from IN ("attack-tw1337@proton.me")

    Detection Query 3 :

    sha256hash IN ("983f5346756d61fec35df3e6e773ff43973eb96aabaa8094dcbfb5ca17821c81","5316060745271723c9934047155dae95a3920cb6343ca08c93531e1c235861ba","512f785d3c2a787b30fa760a153723d02090c0812d01bb519b670ecfc9780d93","754d5c0c494099b72c050e745dde45ee4f6195c1f559a0f3a0fddba353004db6","f72c03d37db77e8c6959b293ce81d009bf1c85f7d3bdaa4f873d3241833c146b","2cc975fdb21f6dd20775aa52c7b3db6866c50761e22338b08ffc7f7748b2acaa","d1081c77f37d080b4e8ecf6325d79e6666572d8ac96598fe65f9630dda6ec1ec")

    Reference:

    https://www.trellix.com/blogs/research/the-ghost-in-the-machine-crazyhunters-stealth-tactics/


    Tags

    CrazyHunterMalwareRansomware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.