CrazyHunter Ransomware
CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.
The Handala threat group has recently emerged as a disruptive Iranian-aligned cyber operation that has conducted destructive and espionage-oriented campaigns against organizations across multiple regions. Recent reporting highlights activity targeting entities in Israel and Western countries, including a high-profile attack against a medtech company, where systems were reportedly disrupted as part of a destructive cyber campaign. The threat group has also been linked to operations impacting institutions such as schools and infrastructure targets, demonstrating an evolution from traditional hacktivist messaging into more operationally damaging attacks. Over the past several months, Handala has been observed demonstrating an increased ability to coordinate attacks that combine data theft, destructive malware, and public messaging campaigns, allowing them to cause disruption while amplifying political narratives tied to regional tensions.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
This Hunt Package identifies single character file names used at point of execution or in command line arguments with optional logic to look for the file creations.
This will identify the potentially malicious use of WMI (Windows Management Interface) utilized for local enumeration and discovery of a host.
This Threat Hunt package identifies the use of delayed execution tactics involving timeout.exe to introduce pauses between command executions. This technique is commonly used by threat actors to evade detection mechanisms, delay payload execution, or coordinate multi-stage attacks. By leveraging legitimate system tools to create timed delays, malicious activity can blend in with normal operations, making it harder to detect using traditional signature-based approaches. This hunt focuses on uncovering patterns of timed delays that may indicate stealthy or staged execution behaviors associated with post-exploitation activity or automated threat actor workflows.
This use case is meant to detect msiexec.exe installing MSI files from directories outside standard/trusted installation paths, which may indicate malicious software installation.
This Threat Hunt package identifies instances where adversaries may be using the native Windows tasklist command in combination with the findstr utility to locate security-related processes. Adversaries and malware often use this method to search for and target processes associated with security products and other interesting services. By identifying these processes, attackers can attempt to manipulate or disable security mechanisms, gather sensitive information, or facilitate more effective ways to execute based on what processes are discovered.
BCDEdit is a command-line tool for managing Boot Configuration Data (BCD). Ransomware is known to utilize bcdedit to modify the boot configuration to prevent recovery. The intent of this package is to identify when bcdedit is being utilized with several common malicious commands, such as delete and safeboot.
This Threat Hunt package is designed to identify when ping.exe utilizes the count argument reducing the number of ICMP packets being sent over the network to the intended destination.
This content is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key or by modifying how Microsoft Defender will respond to threats based by changing the configuration through registry keys.
Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
This package is meant to identify activity around enumerating for logical drives on a system utilizing WMIC, a behavior observed in relation to the Brute Ratel tool.
CrazyHunter is a ransomware campaign targeting healthcare that weakens endpoint defenses and escalates privileges before encrypting systems at scale.
DevMan Ransomware is a newly emerging ransomware operation observed in 2025 that has been assessed as a derivative of the DragonForce ransomware family.
Gootloader resurfaced with enhanced capabilities, building on the multi-stage loader malware first seen in 2020.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.
Facts Only
The Handala threat group is an Iranian-aligned cyber operation.
They have conducted destructive and espionage-oriented campaigns.
Targeted entities include organizations in Israel and Western countries.
A high-profile attack was against a medtech company, causing system disruptions.
Handala has been linked to operations impacting schools, infrastructure targets, and institutions.
Handala has shown increased ability to coordinate attacks combining data theft, destructive malware, and public messaging campaigns.
CrazyHunter is a ransomware campaign targeting healthcare.
DevMan is a newly emerging ransomware operation, a derivative of the DragonForce ransomware family.
Gootloader is a multi-stage loader malware that has resurfaced with enhanced capabilities.
Executive Summary
The Handala threat group, an Iranian-aligned cyber operation, has been conducting destructive and espionage-oriented campaigns against various organizations, particularly in Israel and Western countries. A notable attack targeted a medtech company, causing system disruptions as part of a destructive cyber campaign. The group has been linked to operations affecting schools, infrastructure targets, and institutions, demonstrating a shift from traditional hacktivist messaging towards more damaging attacks. Recently, Handala has shown increased coordination in attacks that involve data theft, destructive malware, and public messaging campaigns.
CrazyHunter, a ransomware campaign targeting healthcare, has also emerged. It weakens endpoint defenses and escalates privileges before encrypting systems at scale. Another newly emerging ransomware operation, DevMan, has been assessed as a derivative of the DragonForce ransomware family.
Gootloader, a multi-stage loader malware, has resurfaced with enhanced capabilities.
Full Take
The Handala threat group's activities suggest a shift from traditional hacktivism towards more operationally damaging attacks, raising concerns about the potential for increased cyber warfare activities. The group's coordination of data theft, destructive malware, and public messaging campaigns could be a sign of state-sponsored cyber operations aimed at achieving strategic objectives.
CrazyHunter's focus on healthcare targets highlights the vulnerability of critical infrastructure in the face of cyber threats. The continued emergence of new ransomware operations like DevMan indicates the resilience and adaptability of these threats, underscoring the need for robust cybersecurity measures.
Gootloader's resurfacing with enhanced capabilities demonstrates the persistent threat posed by multi-stage loader malware, which can be used to deliver a wide range of malicious payloads.
Patterns detected: ARC-0043 Motte-and-Bailey (the article presents both destructive and espionage-oriented activities without fully examining the motivations or implications), ARC-0024 Ambiguity (the article does not clearly state the motivations or goals of the Handala threat group).
Questions for further inquiry: What are the motivations driving the Handala threat group's activities? What is the strategic objective they are trying to achieve? What can be done to strengthen cybersecurity defenses against ransomware threats like CrazyHunter and DevMan? What are the long-term implications of state-sponsored cyber operations like those conducted by the Handala threat group?
Sentinel — Human
The text shows signs of human authorship, with variation in sentence length, idiosyncratic emphasis, and no obvious template pattern. However, the presence of commercial language suggests possible marketing content, which may not be fully representative of journalistic standards.