This scenario simulates a full-chain WorldLeaks (ex-Hunters International) pure extortion attack, based on the SOSRansomware threat intelligence report and corroborated by Group-IB and Lexfo Security research.
WorldLeaks represents the evolution of Hunters International, which itself emerged from Hive ransomware's infrastructure. In January 2025, the group pivoted from traditional double extortion (encrypt + leak) to pure extortion only — stealing data without encrypting systems. This scenario reproduces their exact TTP chain, from initial access via spearphishing to data exfiltration using Rclone, with emphasis on the collection and exfiltration phases that define their operational model.
Simulates the delivery of a weaponized Office document containing a VBA macro. WorldLeaks affiliates commonly use spearphishing emails with macro-enabled attachments (.xlsm, .docm) as the initial compromise vector. The macro establishes initial code execution on the victim endpoint.
What it does
Drops and executes a simulated macro payload, generating process creation artifacts consistent with Office child process spawning (winword.exe → cmd.exe/powershell.exe).
T1059.001 — Command and Scripting Interpreter: PowerShell
Delay
T+2min
Description
Following initial macro execution, WorldLeaks deploys an encoded PowerShell stager to establish a foothold. Base64-encoded commands are used to evade basic command-line logging and static detection rules.
What it does
Executes a Base64-encoded PowerShell command that performs reconnaissance and establishes persistence artifacts. This mirrors the real-world technique where WorldLeaks uses -EncodedCommand to bypass AMSI and script block logging.
Detection opportunities
PowerShell with -EncodedCommand flag, suspicious Base64 strings in command line, ScriptBlock logging events (Event ID 4104).
Stage 3 — Discovery: System & Network Reconnaissance
ATT&CK
T1082 — System Information Discovery / T1135 — Network Share Discovery
Delay
T+4min
Description
WorldLeaks operators perform extensive reconnaissance to identify high-value data stores before exfiltration. This includes system profiling, network share enumeration, and identification of accessible file servers — critical for their pure extortion model where data selection directly impacts ransom leverage.
What it does
Executes native Windows commands (systeminfo, net share, net view, ipconfig /all) to enumerate the local system and network topology. Results are collected for operator review.
Detection opportunities
Rapid succession of discovery commands, net.exe/net1.exe execution, unusual enumeration patterns from a single endpoint.
Stage 4 — Discovery: Security Software Discovery
ATT&CK
T1057 — Process Discovery
Delay
T+6min
Description
Before escalating privileges and moving laterally, WorldLeaks operators enumerate running security products to tailor their evasion techniques. Identifying EDR agents, antivirus solutions, and monitoring tools allows them to select the appropriate defense evasion strategy for the target environment.
What it does
Enumerates running processes and installed services to identify security software (EDR agents, AV products, SIEM collectors). Uses native Windows commands and WMI queries.
Detection opportunities
WMI queries targeting AntiVirusProduct class, process enumeration focused on security tools, tasklist / Get-Process with filtering patterns.
WorldLeaks operators dump LSASS process memory to extract plaintext credentials, NTLM hashes, and Kerberos tickets. ProcDump (a legitimate Sysinternals tool) is used to create the memory dump, reducing detection surface compared to tools like Mimikatz. This technique was specifically observed in Hunters International / WorldLeaks campaigns.
What it does
Downloads ProcDump (with prerequisite check), creates a memory dump of the LSASS process. The dump file is written to a controlled artifact directory and cleaned up after execution.
Detection opportunities
Access to LSASS process memory (Sysmon Event ID 10), ProcDump execution with -ma flag targeting lsass.exe, suspicious .dmp file creation, credential guard alerts.
Stage 6 — Defense Evasion: Disable Windows Event Logging
ATT&CK
T1562.002 — Impair Defenses: Disable Windows Event Logging
Delay
T+10min
Description
Before proceeding to lateral movement and data collection, WorldLeaks operators disable or tamper with Windows event logging to blind SIEM and forensic analysis. This is a critical step in their operational playbook — reducing the evidence trail makes post-incident investigation significantly harder, increasing pressure on victims to pay the ransom rather than attempt recovery.
What it does
Disables Windows event logging services with state backup for cleanup restoration. All original settings are saved and restored during cleanup.
Detection opportunities
Event log service stop events (Event ID 1100/1102), wevtutil commands, security audit policy changes, gaps in event log continuity.
Stage 7 — Persistence: Scheduled Task
ATT&CK
T1053.005 — Scheduled Task/Job: Scheduled Task
Delay
T+12min
Description
WorldLeaks establishes persistence via scheduled tasks to maintain access across reboots. The IOC HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wldboot from threat intelligence indicates they also use Run Keys, but scheduled tasks provide more flexible execution options and can be configured with specific triggers (logon, idle, time-based). This ensures the operator can return to the compromised environment if the initial access channel is lost.
What it does
Creates a scheduled task that simulates WorldLeaks persistence. The task is fully removed during cleanup — no durable attacker capability is left behind.
Detection opportunities
schtasks.exe /create, Event ID 4698 (Scheduled task created), new task entries in C:\Windows\System32\Tasks\, suspicious task actions pointing to PowerShell or cmd.exe.
🎯 Stage 8 — Collection: Sensitive Data Harvesting
ATT&CK
T1039 — Data from Network Shared Drive / T1074.001 — Data Staged: Local Data Staging
Delay
T+14min
Description
Core WorldLeaks TTP. Operators systematically harvest sensitive data from network shares and local repositories. In the Dell breach, WorldLeaks exfiltrated 1.3TB across 416,103 files. Their custom "Storage Software" component automates file discovery and collection based on file type, size, and path patterns — prioritizing financial documents, intellectual property, HR records, and customer data for maximum extortion leverage.
What it does
Discovers and catalogs files matching sensitive patterns across accessible storage locations. Uses parameterized OpenAEV arguments for target paths — no hardcoded hostnames or shares.
T1560.001 — Archive Collected Data: Archive via Utility
Delay
T+16min
Description
Core WorldLeaks TTP. Before exfiltration, collected data is compressed into password-protected archives. This serves dual purposes: reducing transfer volume and evading DLP/content inspection systems that cannot examine encrypted archives. In the Dell breach, WorldLeaks compressed 1.3TB of data before exfiltration through their proxy infrastructure.
What it does
Compresses target files into a password-protected archive. The payload uses OpenAEV arguments for target paths and passwords — nothing is hardcoded. Full cleanup removes the archiving tool and all archive artifacts.
Detection opportunities
Archive utility execution with password flag (-p), large archive creation, unusual compression activity from non-standard paths, file access patterns indicating bulk data collection.
🎯 Stage 10 — Exfiltration: Rclone Cloud Upload
ATT&CK
T1567 — Exfiltration Over Web Service
Delay
T+18min
Description
Signature WorldLeaks technique. The group uses Rclone — a legitimate cloud synchronization tool — to exfiltrate archived data to attacker-controlled cloud storage. Rclone supports 40+ cloud providers, making it extremely versatile for data theft. WorldLeaks' 4-tier infrastructure routes exfiltrated data through proxy layers to their Storage Software servers. This is the culmination of the pure extortion model: steal, don't encrypt.
What it does
Downloads Rclone (with prerequisite check), creates a configuration pointing to a non-existent endpoint (safe-by-design — no actual data leaves the network), and executes the upload command. The payload generates all the process creation, network connection, and configuration artifacts that a real Rclone exfiltration would produce. Full cleanup removes Rclone, config files, and all artifacts.
Detection opportunities
rclone.exe process execution, Rclone configuration file creation (rclone.conf), outbound HTTPS connections to cloud storage APIs, large outbound data transfers, DNS queries to cloud provider domains, command-line arguments containing copy or sync with remote paths.
🔒 Security Checklist
Criterion
Status
No C2 / reverse shell / beacon
✅ All traffic stays local or targets non-existent endpoints
No real malware / ransomware binaries
✅ Only native Windows tools + legitimate utilities
No actual data exfiltration
✅ Rclone targets a non-routable/non-existent endpoint
Cleanup removes all artifacts
✅ Dumps, archives, logs, tools all cleaned
Cleanup removes persistence
✅ Scheduled tasks deleted
Cleanup restores security settings
✅ Event logging state restored from backup
ATT&CK mapping on every inject
✅ 10 techniques mapped across 7 tactics
No hardcoded hostnames/IPs
✅ OpenAEV arguments used for parameterization
Uses existing verified payloads
✅ No custom "bullshit" payloads — all from verified library
📊 Value Proposition
Source-driven realism — Every stage maps directly to WorldLeaks TTPs documented in the SOSRansomware report, Group-IB research, and Lexfo Security analysis
Exfiltration emphasis — Stages 8-10 specifically reproduce WorldLeaks' pure extortion model (collect → archive → exfiltrate), differentiating them from traditional ransomware groups
Detection validation — Each inject generates real artifacts (process creation, file system, registry, network) that validate EDR/SIEM detection rules
Safe-by-design — Full execution on production-like environments without risk: no real C2, no real exfiltration, complete cleanup
Parameterized payloads — OpenAEV arguments allow customization per environment without modifying payload code
Complete kill chain coverage — 10 ATT&CK techniques across 7 tactics, providing comprehensive detection gap analysis