GOLD CRESCENT

GOLD CRESCENT is a financially motivated cybercrime group that operated the Hunters International name-and-shame ransomware-as-a-service (RaaS) scheme through July 2025. In early 2025 the group transitioned to a hack-and-leak operation called World Leaks that forgoes the use of file-encrypting ransomware. Between October 2023 and May 2025 the Hunters International dedicated leak site (DLS) posted the names of 300 purported victims. From May 2025 through August 2025 the World Leaks DLS had posted 67 names.

The group does not advertise for affiliates on underground forums, likely operating a private service that relies on a relatively small group of individuals to access victims' networks and exfiltrate data. Affiliates have been observed to non-exclusively partner with Hunters International. CTU researchers are aware of one incident involving a victim receiving ransom demands from both the group and LockBit as a result of the same compromise, and at least one other victim was named on the Hunters International and LockBit leak sites in quick succession.

Early third-party analysis of the Hunters International ransomware binary, which is written in Rust and appends the files it encrypts with the .locked extension, suggests significant similarity to Hive ransomware. In fact, some antivirus vendors continue to detect it as Hive. These similarities prompted some to speculate that Hunters International was a rebrand of Hive, whose infrastructure was taken down by the U.S. Federal Bureau of Investigation (FBI) in January 2023. However, no arrests were made and no sanctions were levied against individuals associated with Hive ransomware activity. This speculation prompted the operators of Hunters International to issue a statement on their leak site to disavow these claims and allege that any similarities between the ransomware binaries were down to purchasing the source code from the Hive operators. If such a purchase was made, it was not a public transaction.

Information about the tactics, techniques and procedures (TTPs) used in Hunters International ransomware deployments is scant. However, affiliates likely use a variety of methods to conduct attacks. In August 2024, Quorum Cyber reported on the use of a custom tool in Hunters International ransomware intrusions that the company called SharpRhino. SharpRhino masquerades as a legitimate Nullsoft installer for the Angry IP scanning tool but acts as a remote access trojan (RAT). It maintains persistence by modifying the registry and installing itself in multiple locations for redundancy.