Menu
Browse

Cyber Threat Actor: xHunt

Actor Type Location Known Incidents
 Icon
Nation State
Iran
1 incident
Profile

xHunt is an alias used to refer to a threat actor that has been observed operating from Iran and is associated with state‑sponsored cyber activity. Public reporting links the alias to Iranian government‑backed operations, although researchers have not been able to definitively tie xHunt to a specific known Iranian hacking group. The actor’s known activity is limited to a single disclosed incident, which provides the basis for any factual description of its behavior.

The actor’s targeting appears focused on the energy sector, specifically national oil companies, and its operations have been directed against entities in the Middle East. In the 2019 incident, the victim was Bahrain’s national oil company, which was chosen due to its association with Saudi Aramco and the broader geopolitical tensions between Iran and its regional rivals. The stated objective of the attack was disruption, as evidenced by the deployment of a data‑wiping malware intended to erase data and cause system crashes rather than to steal information or generate financial gain.

Regarding tactics, techniques, and procedures, xHunt gained initial access by exploiting a vulnerability in a virtual private network (VPN) appliance, a common vector for perimeter intrusion. After establishing a foothold, the actor escalated privileges by compromising domain controllers, which allowed broader movement across the victim’s network. The payload used in the operation was the Dustman data‑wiper, a malware family that leverages the EldoS RawDisk driver to perform low‑level disk overwriting, a technique also seen in earlier Iranian wipers such as ZeroCleare. The attack was executed hastily, with limited testing, which resulted in only partial data deletion and triggered antivirus detection the following day, enabling containment. While the incident demonstrates a clear link to Iranian state‑sponsored motives, no public source has attributed the operation to a specific Iranian threat group beyond the general assessment of state sponsorship. The 2019 BAPCO attack remains the sole publicly reported campaign associated with the xHunt alias.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources