World Leaks

World Leaks is an extortion-focused cybercriminal operation that emerged in early 2024 and is assessed in the provided reporting as a direct rebrand of Hunters International, with multiple sources stating the rebrand likely occurred in January 2025. It is described as an affiliate-based Extortion-as-a-Service operation that shifted away from a traditional ransomware model toward exfiltration-only extortion, providing affiliates with a proprietary or custom-built data exfiltration tool (described as Storage Software) and supporting infrastructure including a dark web leak site, victim negotiation portal with live chat, affiliate management panel, and an insider journalist platform. The group has published stolen data from dozens of organizations globally and has been associated in the reporting with Hive Ransomware, Secp0 Ransomware, and UNC6148.

World Leaks is reported to target organizations globally, with most known victims in the United States and additional victims in Canada and Europe. Sectors explicitly mentioned include manufacturing, healthcare, and technology, particularly organizations holding valuable intellectual property. The reporting also characterizes the group as involved in stable double-extortion activity, while other cited material states it ransoms without encryption.

Initial access methods attributed to World Leaks in the provided content include compromised VPN credentials lacking MFA, phishing, RDP, internet-facing VPN infrastructure, and public-facing applications. In one detailed January 2026 healthcare-sector intrusion, Darktrace assessed the attackers likely gained initial access via a Fortigate appliance in October 2025 and observed brute-force activity using a compromised administrator credential. The intrusion reportedly involved a long dwell time of roughly three months.

Observed tradecraft includes use of SMB, RDP, SSH, PsExec, WinRM, Chrome Remote Desktop, and Rclone; reconnaissance through internal TCP/UDP port scanning; persistence via registry key modification, scheduled tasks, and account manipulation; and command-and-control through Cloudflare Tunnel infrastructure. Specific infrastructure and indicators mentioned in the reporting include region2.v2.argotunnel[.]com, h2.cftunnel[.]com, region1.v2.argotunnel[.]com, remotedesktop-pa[.]googleapis[.]com, external SSH destination 51.15.109[.]222, and outbound connections to 193.161.193[.]99 over port 1194 associated in the report with probable C2 and OpenVPN. The attackers were also observed writing Windows\Temp\chromeremotedesktophost.msi over SMB and transferring OpenSSHUtils.psm1 and ssh-sk-helper.exe to an internal domain controller using the administrator credential.

Data theft is a central capability. The content states World Leaks exfiltrates data through custom tooling over TOR and uses cloud storage services including MEGA. In the healthcare intrusion, multiple devices transferred data to Backblaze and MEGA, with more than 80 GB sent to MEGA. Related indicators and tooling explicitly cited include backblazeb2[.]com, gfs302n520[.]userstorage[.]mega[.]co[.]nz, the user agent MegaClient/10.3.0/64, and rclone/v1.69.0.

Although World Leaks reportedly claimed to have abandoned encryption in favor of exfiltration-only extortion, the provided content documents at least one case where both exfiltration and encryption occurred. In the January 2026 healthcare incident, Darktrace confirmed ransomware deployment through a ransom note with a randomized nine-character prefix before README.txt and encrypted files bearing the same nine-character extension. SMB writes of world.exe and task.bat were observed and assessed as likely delivering the ransomware payload, and the ransom note attributed the attack to World Leaks. The reporting concludes that affiliates may deviate from the group’s claimed extortion-only model and conduct mixed-mode operations combining stealthy exfiltration with encryption.