xHunt Malware Framework

Originally called Sakabota, it is believed to have been split into several modules in order for SectorD01 to properly compartmentalise their tools. xHunt initial payloads are delivered via sophisticated spear-phishing campaigns or supply chain compromises. SectorD01 will perform extensive reconnaissance and data collection on potential targets, which include shipping, telecommunications, and governmental organisations.

As it is a modular framework, xHunt campaigns can be tailored for specific targets, with modules able to be installed and removed as needed. At the time of publication, the following modules have been identified:

• Sakabota - Primary xHunt module. Able to deliver subsequent modules as well as the Mimikatz credential harvesting tool sign with PsExec and WMIC. It will also initiate a connection with the primary command and control (C2) server.
• Hisoka - Modular backdoor that uses both HTTP and DNS for C2 communications.
• Killua - Believed to be a newer version of Hisoka with no added functionality.
• Netero - Embedded tool used by Hisoka for C2 communications using Exchange Web Server. Netero will then pass emails containing instructions for Hisoka to take.
• Diezen - Backdoor with similarities to Hisoka. Uses a proprietary non-HTTP protocol over 443 to connect to a C2 server. Appears to have been superseded in later campaigns by Hisoka and Gon.
• Gon - Lightweight post-exploitation remote access trojan focused on port scanning, password brute-forcing, and creating RDP sessions.
• EYE - Monitors SectorD01 RDP sessions on affected systems. It will then attempt to close all processes and remove all files associated with xHunt when the sessions are ended.