worldleaks
Ransomware group profile
Description
WorldLeaks is a cyber threat group that emerged in January 2025 as a rebranding of Hunters International, focusing on a pure data extortion model instead of traditional ransomware. They have developed a comprehensive Extortion-as-a-Service (EaaS) platform that aids affiliates in data theft, adopting sophisticated techniques to evade detection and exert pressure on victims through reputational damage.
Key insights
- •WorldLeaks operates primarily through the exploitation of compromised VPN credentials lacking Multi-Factor Authentication (MFA).
- •The group has a unique four-platform infrastructure, which includes a data leak site and a victim negotiation portal.
- •They utilize living-off-the-land techniques and process injection to evade detection.
- •A notable method for initial access is the deployment of a custom rootkit called OVERSTEP on SonicWall SMA appliances.
- •Although primarily focused on data extortion, there are reports of encryption being used in some attacks.
- •WorldLeaks leverages a journalist portal to amplify reputational damage against victims, increasing pressure for compliance.
- •Their extortion model combines financial demands with threats of public data leaks to coerce victim organizations.
Threat Level & Status Breakdown
For worldleaks · Based on incidents in selected period
Status Breakdown
Recent activity
Monthly attack count for worldleaks in the selected period
Intelligence
IOCs, YARA/Sigma rules, and related families for worldleaks
- d520d06d78afcad2e03842cb8db4622d18b92739e89dfb8dadf5743f30dcd903
- e75e5778e71e062ce4a7af673f0b2513854d2367fee0f01a26c0c998863bdf6e
- eae09889399fe4fb8e78b114dba0527de913d12fb1802944a88ed136e3e90577
- 94f73b5dc06ba6705fcef3e759413a747049c2949a0c2e44afc03b2f9989cf73
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for worldleaks
T1486
T1486
T1490
T1490
T1078
T1078
T1021
T1021
T1562
T1562
T1059
T1059
T1047
T1047
T1021.001
T1021.001
T1566.001
T1566.001
T1190
T1190
T1071.002
T1071.002
T1075
T1075
Victims(124)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| American Battery Factory | americanbatteryfactory.com | US United States | Manufacturing | Claimed | 6 days ago | |
| BMJ Paperpack | bmjpaperpack.com | ID Indonesia | Manufacturing | Claimed | 12 days ago | |
| Bestat Pharmaservices Corp. | bestat.com.tw | TW Taiwan | Healthcare | Claimed | 22 days ago | |
| Ceywater Consultants | ceywater.com | LK Sri Lanka | Professional Services | Claimed | about 1 month ago | |
| Peyton Law Firm | peytonlaw.com | US United States | Professional Services | Claimed | about 1 month ago | |
| SMTA Sherwood Mutual Telephone Association | smta.cc | US United States | Technology | Claimed | about 1 month ago | |
| Mediaworks Kft | — | HU Hungary | Professional Services | Claimed | about 1 month ago | |
| DIME Distribuidora | — | BR Brazil | Retail & E-Commerce | Claimed | about 1 month ago | |
| Carma Packaging | — | IN India | Manufacturing | Claimed | about 1 month ago | |
| Intikom | — | ID Indonesia | Technology | Claimed | about 1 month ago | |
| Birtcher Anderson & Davis | — | US United States | Professional Services | Claimed | about 1 month ago | |
| Virginia Health Services | — | US United States | Healthcare | Claimed | about 1 month ago | |
| Equatorial Coca-Cola Bottling | — | MA Morocco | Retail & E-Commerce | Claimed | about 1 month ago | |
| Jersey Fabrication Group LLC | — | US United States | Manufacturing | Claimed | about 2 months ago | |
| Deaconess Health System | — | US United States | Healthcare | Claimed | about 2 months ago | |
| National Aerospace Fasteners | — | TW Taiwan | Manufacturing | Claimed | 2 months ago | |
| AMBAU Personalservice | — | DE Germany | Professional Services | Claimed | 2 months ago | |
| Alamo Heights School District | — | US United States | Education | Claimed | 2 months ago | |
| San Felipe Del Rio CISD School | — | US United States | Education | Claimed | 2 months ago | |
| Sheraton Hotel | — | US United States | Hospitality | Claimed | 2 months ago |
Page 1 of 7
Affected countries(38)
Countries where this group has been reported to target or leak victims.