Between 2019 and 2020, Palo Alto Networks Unit 42 uncovered and publicly documented a sophisticated multi-year cyber espionage campaign they named “xHunt,” targeting Kuwait’s shipping and transportation organizations alongside Kuwaiti government entities. The campaign employed a distinctive set of custom-developed backdoors named after characters from the anime series Hunter × Hunter - including Hisoka, Sakabota, Netero, and Killua - reflecting an operational signature that distinguished the group from other Iranian-linked threat actors operating in the Gulf region during the same period.
Key Facts
- WhatxHunt espionage campaign targeted Kuwait's shipping sector using DNS tunneling.
- WhoKuwaiti shipping companies and government entities (2019-2020).
- Data ExposedCargo manifests, Exchange email archives, and government data.
- OutcomeDiscovered by Palo Alto Unit 42; linked to Iranian-aligned threat actors.
What Was Exposed
- Shipping and logistics operational data from Kuwaiti maritime and transport companies, potentially including cargo manifests, vessel schedules, and commercial routing information
- Microsoft Exchange email archives from compromised mail servers, enabling comprehensive access to internal and external communications of targeted organizations
- Credentials and authentication tokens harvested from compromised Exchange servers, enabling persistent access and lateral movement across victim networks
- Business process management system data, including workflow configurations, process documentation, and operational data managed through IIS-hosted BPM platforms
- Kuwaiti government entity data from simultaneously targeted government organizations, potentially overlapping with the APT39 campaign documented in the same period
- Network architecture information and internal system documentation accessible through the compromised BPM and Exchange infrastructure
- Personnel data of employees at targeted shipping and government organizations, including contact information and organizational role data
- Commercial intelligence related to Kuwait’s maritime trade flows, including import/export documentation and trade partner information
Kuwait’s shipping and transportation sector is strategically significant far beyond its commercial importance to the Kuwaiti economy. Kuwait sits at the head of the Arabian Gulf, one of the world’s most critical maritime chokepoints through which the vast majority of Gulf oil exports transit. Kuwait’s commercial ports - particularly Shuwaikh Port and Shuaiba Port - handle the import logistics that sustain Kuwait’s large and heavily import-dependent economy.
Understanding the operational patterns of Kuwait’s shipping sector provides intelligence value on military logistics, the movement of dual-use goods, and the commercial networks through which sanctioned entities might attempt to circumvent US and UN sanctions against Iran.
The use of DNS tunneling for command and control represents a significant technical capability that distinguishes xHunt from less sophisticated threat actors. DNS is a foundational internet protocol that is rarely inspected or blocked at network perimeters because doing so would break basic internet connectivity.
Conventional network security controls - web proxies, SSL inspection, next-generation firewalls focused on HTTP/HTTPS traffic - typically fail to analyze the content of DNS queries and responses in sufficient depth to detect the encoding of command-and-control traffic within what appears to be legitimate DNS lookups. An organization whose security monitoring is focused exclusively on web traffic could be entirely blind to DNS-tunneled command and control, even while experiencing continuous data exfiltration through this channel.
The Hisoka backdoor, named after the flamboyant and dangerous character from Hunter × Hunter, served as xHunt’s primary implant for maintaining persistent access to compromised systems. Hisoka used DNS tunneling as its C2 channel, encoding commands and data within DNS TXT record queries and responses in a manner that evaded detection by the network security tools in use at the targeted Kuwaiti organizations.
The Sakabota tool functioned as a dropper and persistence mechanism, while Netero and Killua served as additional backdoor and tunneling tools that provided fallback access if Hisoka was detected and removed.
The exploitation of Microsoft Exchange servers represents a recurring theme in Iranian APT operations during 2019-2020. Exchange servers are attractive targets for multiple reasons: they are inherently internet-facing (to receive email from external parties), they frequently run with administrative privileges on the servers that host them, they provide direct access to the email archives of the entire organization, and vulnerabilities in Exchange have historically been slow to be patched in enterprise environments where Exchange downtime directly impacts business operations.
Compromising an Exchange server provides immediate access to organizational communications, harvests credentials from authenticated connections, and provides a trusted internal system from which lateral movement across the network is far less likely to trigger alerts than connections originating from an external IP address.
The BPM software exploitation vector is particularly interesting because it targets a class of enterprise application that is frequently overlooked in security assessments focused on perimeter defenses and core infrastructure. BPM platforms running on IIS web servers are often managed by business operations teams rather than by IT security personnel, resulting in delayed patch cycles and security configurations that prioritize functionality over hardening.
The xHunt operators’ identification of this attack vector suggests a detailed reconnaissance phase in which they assessed the full technology stack of their targets and identified the weakest link - in this case, a business application platform with exposed internet-facing components and delayed patch management.
Unit 42’s documentation of the xHunt campaign provided the broader cybersecurity community with valuable threat intelligence, including indicators of compromise, behavioral signatures, and tactical analysis that enabled other organizations to hunt for evidence of xHunt activity in their own networks. The public disclosure also served as a form of attribution that imposed reputational costs on the threat actors, even without formal government attribution to a specific Iranian state organization.
The names chosen for the campaign’s tools - anime characters associated with extraordinary skill and lethal capability - reflected a certain operational aesthetic that, combined with the technical sophistication of the DNS tunneling approach, has led some analysts to speculate about the personal interests and cultural profile of the developers behind the xHunt toolset.
Regulatory Analysis
The xHunt campaign’s targeting of private sector shipping and transportation companies in Kuwait brings these organizations squarely within the scope of CITRA’s Data Protection and Privacy Regulation, Decision No. 26/2024. Unlike the APT39 campaign which targeted primarily government agencies, xHunt’s focus on commercial maritime and transport operators means that the breach notification and security obligations of the DPPR apply directly to private companies whose compliance posture may be significantly less developed than that of government ministries with dedicated IT security teams.
The 72-hour breach notification requirement under DPPR Decision No. 26/2024 creates a specific challenge for smaller shipping and transport companies that may lack the forensic capability to determine within 72 hours whether a sophisticated APT intrusion has occurred, the scope of data accessed, and the categories of personal data affected.
Unit 42’s analysis suggests that xHunt maintained persistent access to some victims for months; determining the scope of data access over such an extended dwell time requires sophisticated log analysis capabilities that are not universally present in Kuwait’s commercial maritime sector.
Kuwait’s E-Commerce Law No. 20/2014 imposes security obligations on companies processing data through electronic platforms. Shipping companies using web-based logistics management systems, customer portals, and electronic bill of lading systems are processing personal and commercial data through electronic channels that engage the security provisions of this law. The exploitation of IIS-hosted BPM software as an initial access vector represents precisely the kind of vulnerability in web-facing business applications that the E-Commerce Law’s security provisions were designed to address.
The multi-sector nature of xHunt - targeting both private shipping companies and government entities in the same campaign - illustrates the need for Kuwait to develop sector-specific cybersecurity frameworks for critical infrastructure operators, including maritime and transport companies. Kuwait’s Cybercrime Law No. 63/2015 establishes criminal liability for unauthorized access but provides no sector-specific security standards for industries like maritime transport whose operational data has significant national security implications.
The absence of such standards is a gap in Kuwait’s regulatory framework that the development of a comprehensive data protection law presents an opportunity to address.
The DNS tunneling C2 technique used by xHunt highlights a specific regulatory gap:
Kuwait currently has no mandatory requirement for internet service providers to implement DNS security monitoring or to report anomalous DNS traffic patterns indicative of tunneling activity. In jurisdictions with more developed cybersecurity regulatory frameworks, telecommunications and internet service providers are required to maintain monitoring capabilities and to report observed threats to national cybersecurity authorities.
CITRA, as the telecommunications regulator, is well-positioned to establish such requirements for Kuwaiti ISPs, creating a network-level detection capability that would provide early warning of DNS tunneling activity across the entire Kuwaiti internet infrastructure.
What Should Have Been Done
Defending against xHunt required a security posture capable of detecting sophisticated APT activity that deliberately evades conventional perimeter security controls. The following measures represent the minimum required to detect and respond to the xHunt campaign within a timeframe that would have limited intelligence loss.
DNS security monitoring is the single most direct countermeasure to the xHunt campaign’s DNS tunneling C2 infrastructure. DNS traffic analysis tools - including purpose-built DNS security platforms such as Cisco Umbrella, Infoblox, or open-source tools like PassiveDNS - can detect the statistical anomalies characteristic of DNS tunneling:
unusually high query volumes to specific domains, abnormally long hostnames in DNS queries, high entropy in queried subdomains, and query/response patterns inconsistent with legitimate DNS usage. These tools should have been deployed at the network perimeter of every organization in Kuwait’s maritime and government sectors, feeding alerts to a SOC staffed to investigate DNS anomalies on a 24/7 basis.
Exchange server security requires a dedicated hardening programme that goes significantly beyond the default installation configuration.
Organizations running on-premises Exchange servers should implement Exchange Emergency Mitigation (EOMT) for rapid vulnerability remediation, enable Advanced Audit Policy Configuration to maximize the forensic value of Exchange log data, deploy Microsoft Defender for Exchange with behavioral analysis enabled, and implement web application firewall rules restricting access to Exchange administrative interfaces from anything other than known administrative IP ranges.
The September 2019 Unit 42 report documented xHunt’s Exchange exploitation techniques; organizations with Unit 42’s published IOCs loaded into their Exchange security tools would have had detection capability from the moment of public disclosure.
Web application security for IIS-hosted BPM platforms must be treated with the same rigour applied to externally facing e-commerce and customer portal applications.
This means: regular vulnerability assessment and penetration testing of BPM web applications, implementation of a web application firewall in front of all IIS-hosted services, strict input validation and output encoding controls to prevent injection attacks, and a formal patch management process that ensures BPM software receives security updates within a defined timeframe of vendor release. Internal business applications running on internet-accessible servers should never be treated as exempt from the same security controls applied to customer-facing systems.
Endpoint detection and response deployment across all servers and workstations, with behavioral detection rules tuned to identify the xHunt toolset’s specific techniques, would have provided host-level detection capability independent of network-based controls. The Hisoka, Sakabota, Netero, and Killua tools have behavioral signatures that a well-tuned EDR solution would have detected: unusual process creation chains, registry persistence mechanisms, encoded PowerShell execution, and DNS query patterns inconsistent with normal system behavior.
Unit 42’s published technical analysis provides the basis for custom detection rules that can be implemented in EDR platforms and SIEM systems to proactively hunt for xHunt activity.
Network traffic analysis (NTA) tools capable of baseline behavioral profiling and anomaly detection provide detection capability for the lateral movement and data exfiltration phases of xHunt’s operations that may evade perimeter controls.
NTA platforms establish baselines of normal traffic patterns between hosts and alert when traffic deviates from these baselines in ways indicative of lateral movement, data staging, or exfiltration. For Kuwait’s shipping companies, whose networks carry predictable patterns of logistics data, the unusual internal traffic patterns generated by xHunt’s lateral movement across the network would have been detectable by an NTA solution calibrated to the organization’s normal traffic baseline.
The xHunt campaign demonstrated that Kuwait’s maritime and transport sector
- critical infrastructure for a small, import-dependent economy - was being systematically targeted by a sophisticated adversary using evasion techniques specifically designed to defeat conventional network security monitoring. Closing this gap requires investment in DNS security, advanced endpoint detection, and network traffic analysis that sees past the DNS protocol camouflage that made xHunt so difficult to detect.