Quorum Cyber turns tables on cybercriminals by exposing new RAT

EDINBURGH, Scotland – Global cybersecurity firm Quorum Cyber announced that it has identified a novel new malware named SharpRhino.  

During a ransomware investigation, the company’s Threat Intelligence team discovered previously unknown malware was being utilized by the threat actor Hunters International as an initial infection vector and subsequent Remote Access Trojan (RAT), representing an evolution in the tactics, techniques and procedures (TTP) of the prominent malware group, which is believed to be affiliated with Russia. 

“Based on their being no indicators of previous use, it is highly likely that this is the first deployment of the Remote Access Trojan by Hunters International, thus indicating an advancement in their TTPs,” said Michael Forret, a threat intelligence analyst for Quorum Cyber. “SharpRhino was deployed using Malvertising, which is different from traditional techniques Hunters International has typically been reported using, including phishing emails, compromised Remote Desktop Protocol (RPD) service, supply chain attacks, social engineering, and exploiting vulnerable public-facing applications.” 

First observed in October 2023, Hunters International became the 10th most active ransomware group globally in 2024. Due to compelling similarities in the ransomware source code, the group has been attributed to the now defunct Russia-based ransom group known as the Hive. Hunters International, which claimed responsibility for over 130 attacks in 2024, has positioned itself as a RaaS provider, enabling other potentially less sophisticated threat actors with the tooling required to conduct additional attacks. 

It’s not necessarily the techniques themselves that are new but rather the method used by Hunters International to execute them, company officials say. Named SharpRhino due to its use of the C# programming language, the malware is delivered through a typosquatting domain impersonating the legitimate networking tool Angry IP Scanner, which is popular with IT professionals. On execution, it establishes persistence and provides the attacker remote access to the device, which is then utilized to progress the attack. 

"Typosquatting and watering hole attacks are just one tool in the threat actor’s arsenal used to prey on organizations,” said James Allman-Talbot, head of incident response and threat intelligence at Quorum Cyber. “SharpRhino serves as a reminder that threat actors, particularly ransomware groups, given the financial gain they seek, are constantly developing new capabilities and identifying new ways to infiltrate their victims.”