Hunters International — a Russian-linked ransomware group that acquired the Hive ransomware after its operators were shut down by law enforcement — is deploying SharpRHino, a RAT disguised as the legitimate Angry IP Scanner network admin tool. The attack targets IT professionals specifically, betting that administrators install software with elevated privileges and are more likely to have access to high-value systems worth ransoming.
Stories Covered
SharpRHino RAT: Hunters International Tricks IT Admins with Fake Network Scanner
Hunters International emerged after international law enforcement took down the original Hive ransomware operation. The group acquired Hive’s codebase and rapidly scaled — claiming 134 attacks in the first seven months of 2024 and reaching the top 10 most active ransomware groups. SharpRHino is their initial access tool: a RAT built to look like Angry IP Scanner, an open-source network administration utility commonly used by IT professionals. Distribution is via typosquatting domains that closely mimic the legitimate Angry IP Scanner download site. Because Angry IP Scanner is open source, attackers can sign their malicious installer with a “valid” certificate (attributed to “J. Golden’s Drive Trading Co. Ltd.”) paired with a domain name close enough to the real one that a hurried admin won’t notice. The downloaded executable is an NSIS-packed installer that bypasses suspicion by appearing to be standard installation software.
Once executed, SharpRHino establishes persistence by modifying the Windows registry Run key and creating two directories under C:\ProgramData\Microsoft\ — named “Windows Updater 24” and “Log Update Windows” — to blend into existing Microsoft infrastructure and maintain multiple fallback channels to the Hunters International C2 server. The persistence mechanism is designed to survive removal attempts: even if security tools delete one component, registry keys and scripts can rebuild the necessary foothold. Quorum Cyber researchers who analyzed the campaign note that complete remediation may require a full system reimaging rather than targeted file deletion. Once SharpRHino is established, the group follows a standard double-extortion ransomware playbook: exfiltrate data first, then encrypt files with the .locked extension and direct victims to a Tor payment portal. The encryption layer is implemented in Rust — a language increasingly favored by cybercriminal developers for its resistance to reverse engineering and memory safety properties that reduce detectable vulnerabilities in the malware itself.
The IT professional targeting is strategically sound. Standard phishing targets general users who may or may not have access to sensitive systems. IT admins routinely install software, often under elevated or administrative accounts, and their access frequently spans the network — giving a successful infection broad lateral movement potential from the first moment of compromise. The typosquatting + code signing combination lowers the bar for a technically informed target: the download looks like the right domain, the installer is signed, and the tool performs its advertised function. Quorum Cyber has published MITRE ATT&CK mappings for the campaign covering defense evasion, discovery, privilege escalation, execution, persistence, and C2 stages — useful reference material for defenders building detection rules.





