xHunt APT Group Spies on Kuwait, Leveraging Microsoft Exchange, IIS, and Custom Backdoors
Published on November 11, 2025
Key Takeaways
- Targeted operations: xHunt continues its cyber espionage, primarily targeting shipping, transportation, and government entities in Kuwait.
- Custom toolkit: The group uses a unique, evolving set of custom backdoors, often named after characters from the anime series "Hunter x Hunter."
- Exchange server exploitation: A key tactic involves compromising MS Exchange servers to establish persistence and use email drafts for C2communications.
The xHunt cyberespionage group continues to execute sophisticated, persistent attacks, with a primary focus on entities in Kuwait. First observed in 2018, these xHunt APT operations are characterized by a highly targeted approach and a distinctive, custom-built malware toolkit.
The Evolving Malware Arsenal
The group has demonstrated proficiency in compromising web-facing servers, particularly Microsoft Exchange and IIS, to gain initial access, the latest report from Picus Security said.
A hallmark of xHunt's campaigns is its use of custom PowerShell backdoors, including Hisoka, Sakabota (which provides a Mimikatz binary), Netero, and Killua, and PowerShell-based backdoors TriFive, Snugy (a CASHY200 variant), and BumbleBee.
For credential access, they relied on:
- Brute forcing – using the popular password cracking tool THC-Hydra to brute-force logins for the Remote Desktop Protocol (RDP).
- Application layer protocol – using previously stolen credentials to access email accounts.
- Protocol tunneling – using established SSH tunnels to interact with BumbleBee on internal IIS web servers that were not directly internet-accessible.
- Obfuscated infrastructure – routing access through PIA VPN infrastructure.
The Hisoka and TriFive backdoors communicate via EWS by reading and writing base64-encoded commands in the Drafts or Deleted Items folders of a compromised user's mailbox. This method avoids traditional network-based C2 traffic, making detection more challenging.
The group:
- Uses tools like TriFive and Snugy to maintain persistence, often executed via scheduled tasks to evade detection.
- Exploits Exchange Web Services (EWS) to facilitate stealthy command-and-control (C2) communications.
- Uses the BumbleBee webshell for direct command execution and SSH tunnels for lateral movement within compromised networks.
One of its more novel techniques involved a watering hole attack on a Kuwaiti government website to passively harvest NTLM hashes from visitors, showcasing the group's patience and ingenuity.
Cybersecurity Implications of Advanced APT Tactics
The sustained cyber-espionage in Kuwait by xHunt highlights the increasing sophistication of state-sponsored threat actors.
For organizations, particularly those in critical sectors, this reinforces the importance of securing internet-facing applications, implementing robust email security protocols, and monitoring for unusual activity within Exchange environments.
Last month, the Iran-linked MuddyWater group launched the Phoenix backdoor espionage campaign, leveraging compromised email accounts, and the PassiveNeuron cyberespionage campaign targeted global organizations with custom APT implants.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular