Hisoka
Hisoka is a custom backdoor associated with the xHunt cyber-espionage group. Reporting places it in xHunt operations targeting organizations in Kuwait, particularly in the shipping, transportation, government, and broader critical infrastructure sectors, with activity described from at least 2018 through 2020. Hisoka is part of xHunt’s bespoke malware ecosystem, whose tools are often named after characters from the anime Hunter x Hunter, and it has been referenced alongside other xHunt malware including TriFive, Netero, Sakabota, Killua, Snugy, and the BumbleBee webshell.
A key documented capability of Hisoka is covert command-and-control via Microsoft Exchange Web Services (EWS). The malware is described as communicating by reading and writing email drafts in compromised mailboxes, using folders such as Drafts or Deleted Items as a C2 channel. This technique allows the actor to blend malicious traffic with legitimate Exchange activity and support persistent intelligence collection. The content also links Hisoka to xHunt infrastructure through the domain microsofte-update[.]com, described as a Hisoka C2 domain; related reporting notes overlap with windowsmicrosofte[.]online and other xHunt-associated infrastructure.
The malware is tied to xHunt’s broader intrusion tradecraft, which includes compromise of Microsoft Exchange and IIS servers, credential harvesting, long-term persistence, and lateral movement within victim environments. While the provided content does not give a full standalone technical breakdown of Hisoka’s internal implementation, it consistently identifies Hisoka as one of xHunt’s bespoke backdoors used in espionage-focused campaigns against Kuwaiti targets.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The domain windowsmicrosofte[.]online contains the substring microsofte, which was seen in the Hisoka C2 domain of microsofte-update[.]com as mentioned in our initial publication on xHunt’s attacks on Kuwaiti shipping and transportation organizations.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom backdoor used by xHunt APT for cyber-espionage, enabling persistent access and intelligence harvesting from compromised systems.
Custom backdoor leveraging Exchange Web Services (EWS) for stealthy C2 via mailbox draft manipulation (e.g., Drafts/Deleted Items).
Malware associated with xHunt referenced here through overlap in command-and-control domain naming patterns. The content does not provide additional functional detail in this article.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.