Hunters International

World Leaks is a cyber extortion operation and Extortion-as-a-Service (EaaS) group that steals sensitive data from victim organizations and threatens to publish it on dark web leak infrastructure if ransom demands are not paid. The group is described in the content as a rebrand or splinter of Hunters International, with reporting placing its emergence in early 2025 or January 2025; some cited reporting also describes it as emerging in early 2024 and shifting in mid-2025 to an extortion-only model. Known aliases in the provided content are Hunters International, worldleaks, and world_leaks. The content consistently describes World Leaks as focusing primarily on data theft and extortion rather than file encryption, although one cited Darktrace case attributed to World Leaks in a healthcare environment involved both exfiltration and encryption, indicating affiliates may deviate from the group’s claimed extortion-only model. The group operates a dark web leak site and a victim negotiation portal with live chat, and some reporting says it also maintains an affiliate management panel and an "insider" platform intended to give journalists early access to stolen data to increase pressure on victims. Reported targeting spans healthcare, manufacturing, technology, government, media, telecommunications, energy, utilities, information technology, and defense-adjacent organizations. The content states that most identified victims are in the United States, with additional victims in Canada, Europe, India, and China. Victims and claimed victims mentioned in the content include Nike, Dell, UBS, Mediaworks, Legend Senior Living, the City of Los Angeles, and LAPD-related data exposed through a Los Angeles City Attorney’s Office third-party storage/discovery transfer system. Initial access methods attributed to World Leaks in the provided reporting include phishing, compromised credentials, valid VPN credentials, exploitation of exposed or public-facing services, RDP abuse, and brute force against exposed RDP. Reported operational tradecraft includes data discovery and exfiltration; use of SMB, RDP, SSH, PsExec, WinRM, and account manipulation; persistence via registry modifications and scheduled tasks; and exfiltration via custom tooling, Rclone, WinSCP as a fallback, MEGA, Backblaze, HTTPS, TOR, and Cloudflare-backed infrastructure. One intrusion described in detail involved brute forcing an exposed RDP service, disabling security controls with privacy.sexy, reconnaissance with SoftPerfect Network Scanner, use of a Cobalt Strike PowerShell stager, deployment of lactenin.exe, and use of RustyRocket (agent.exe), described as a custom World Leaks exfiltration platform, to collect files over SMB and exfiltrate them over HTTPS to thousands of Cloudflare IPs. That intrusion also involved tailored extortion notes for leadership and employees and use of Tor-based negotiation infrastructure. The content also notes overlap or association in reporting with Hive, Secp0 Ransomware, and UNC6148, but only as stated associations in the source material. Sub-groups are not directly identified in the provided content.