Expel A.I CyberSecurity Scoring
Expel
Company Information
Website:https://expel.com
Employees number:487
Number of followers:29,179
NAICS:541514
Industry Type:Computer and Network Security
Homepage:expel.com
Expel Risk Score (AI oriented)
Between 650 and 699
ExpelComputer and Network Security
Updated:
23/04/2026
23/04/2026
699/1000
Weak
B
Expel Global Score (TPRM)
xxxx
ExpelComputer and Network Security
Score locked

ExpelWeak
Current Score
699B (WEAK)
01000
2 incidents
-29 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
704
JUNE 2026
703
MAY 2026
701
APRIL 2026
740
Cyber Attack
22 Apr 2026 • Expel
Expel, OpenAI, Cursor and Anima: AI Tools Are Helping Mediocre North Korean Hackers Steal Millions
North Korean Hackers Leverage AI to Steal $12 Million in Cryptocurrency
699
LOW-41
EXPANIANYOPE1776903982
North Korean Hackers Leverage AI to Steal $12 Million in Cryptocurrency
Cybersecurity firm Expel has uncovered a North Korean state-sponsored hacking campaign that exploited AI tools to orchestrate a large-scale cryptocurrency theft operation. The group, dubbed HexagonalRodent, targeted over 2,000 developers working on cryptocurrency, NFT, and Web3 projects, using AI-generated malware and phishing infrastructure to siphon an estimated $12 million in just three months.
Unlike highly sophisticated cybercrime syndicates, HexagonalRodent relied on AI platforms including OpenAI, Cursor, and Anima to compensate for its lack of technical expertise. The hackers used these tools to write malware, design fake company websites, and craft phishing lures, particularly fraudulent job offers aimed at developers. Victims were tricked into downloading malware-laced coding assignments, which stole credentials and, in some cases, crypto wallet keys.
Security researcher Marcus Hutchins, who identified the group, noted that the operation’s success stemmed not from advanced hacking skills but from AI’s ability to automate tasks that would otherwise require significant technical knowledge. The hackers’ reliance on AI was evident in their malware, which included unusual features like excessive English-language comments and emoji-littered code hallmarks of large language model-generated software.
Despite their effectiveness, the group left critical infrastructure exposed, revealing their AI prompts and a database tracking victim wallets. While the $12 million figure represents the total value of compromised wallets, researchers could not confirm whether all funds had been drained, as some wallets may have been protected by hardware security tokens. The campaign underscores how AI is lowering the barrier to entry for cybercriminals, enabling even low-skilled actors to execute high-impact attacks.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MARCH 2026
740
FEBRUARY 2026
740
JANUARY 2026
739
DECEMBER 2025
739
NOVEMBER 2025
754
Cyber Attack
01 Nov 2025 • Expel
Huntress, Rhysida and Expel: Gootloader Malware Maintains Low Detection Rate While Bypassing Most Security Tools
Gootloader’s Sophisticated Anti-Detection Tactics Exposed in Latest Campaign
737
LOW-17
HUNREDEXP1768977371
Gootloader’s Sophisticated Anti-Detection Tactics Exposed in Latest Campaign
A recent analysis by Huntress and Expel reveals how the Gootloader malware leverages deliberately malformed ZIP archives to evade security tools while maintaining functionality for targeted victims. The threat actor, known for its role as an initial access broker in ransomware operations, has partnered with Vanilla Tempest, a group deploying Rhysida ransomware, in an ongoing campaign active since November 2025.
### Evasion Through Malformed ZIP Archives
Gootloader’s infection chain begins with weaponized ZIP files containing malicious JScript payloads, such as "Indiana_Animal_Protection_Laws_Guide.js." These archives are engineered to bypass analysis tools like 7-Zip and WinRAR while remaining extractable via Windows’ native unarchiving utility.
Key evasion techniques include:
- Concatenated ZIP structures: Each archive contains 500–1,000 nested ZIP files, with the End of Central Directory (EOCD) record strategically placed to direct extraction to the valid payload.
- Truncated EOCD records: Missing critical bytes violate ZIP format standards, causing parsing failures in security tools.
- Randomized metadata: Mismatched version numbers, timestamps, CRC32 checksums, and file sizes between local file headers and central directory records further disrupt analysis.
- Client-side generation: Victims receive XOR-encoded data blobs decoded by browsers, assembling into identical ZIP structures until reaching 70–80 MB despite the extracted JScript payload being only ~287 KB.
### Execution & Persistence
When victims extract and run the JScript file, Windows Script Host (WScript) processes it from `AppData\Local\Temp`, initiating a multi-stage attack:
1. Persistence: Creates LNK shortcuts in the Startup folder, referencing secondary scripts via NTFS short filenames (e.g., `FILENA~1.js`).
2. Obfuscated PowerShell execution: CScript launches the script, which spawns PowerShell processes with heavily obfuscated commands to establish command-and-control (C2) communications.
### Detection & Indicators of Compromise
Security teams can identify Gootloader activity by monitoring:
- Process patterns: `wscript.exe` executing JScript from temp directories, followed by `cscript.exe` invoking scripts via NTFS shortnames and spawning PowerShell.
- File characteristics: ZIP archives with >100 instances of `PK\x03\x04` (local file headers) or `PK\x05\x06` (EOCD records).
- Persistence artifacts: LNK files in `\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\`.
Known IOCs:
- File hash (SHA-256): `b05eb7a367b5b86f8527af7b14e97b311580a8ff73f27eaa1fb793abb902dc6e`
- Malicious extensions: `.js`, `.jse`
- Execution paths: Temp directories, NTFS shortname scripts
Gootloader remains a persistent threat, historically accounting for 11% of malware bypassing enterprise security solutions. Its collaboration with Vanilla Tempest underscores its role in facilitating Rhysida ransomware attacks.
INCIDENT DETAILS -
TYPE
MOTIVATION
DATA BREACH
REFERENCES
OCTOBER 2025
754
SEPTEMBER 2025
754
AUGUST 2025
754
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Expel ??
What was Expel's A.I Rankiteo Cyber Score in June 2026 ??
What was Expel's A.I Rankiteo Cyber Score in May 2026 ??
What was Expel's A.I Rankiteo Cyber Score in April 2026 ??
What was Expel's A.I Rankiteo Cyber Score in March 2026 ??
What was Expel's A.I Rankiteo Cyber Score in February 2026 ??
What was Expel's A.I Rankiteo Cyber Score in January 2026 ??
What was Expel's A.I Rankiteo Cyber Score in December 2025 ??
What was Expel's A.I Rankiteo Cyber Score in November 2025 ??
What was Expel's A.I Rankiteo Cyber Score in October 2025 ??
What was Expel's A.I Rankiteo Cyber Score in September 2025 ??
What was Expel's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Expel's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Expel ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Expel's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?