Skip to content
Ransomware group

HellCat

Hellcat is a ransomware group that emerged in mid-2024.

Profile source: Mallory opens in a new tab

HellCat

Family profile

Hellcat is a ransomware group that emerged in mid-2024. The provided content states that its main operators are known to be senior members of the BreachForums community, and reporting by Cyfirma and Hudson Rock linked a hacker using the moniker "Rey" to the group. In March 2025, Hellcat was attributed with a significant compromise of Jaguar Land Rover (JLR): the group reportedly used Jira credentials to access JLR’s internal network and leaked 700 internal documents, including development logs, source code, and a large employee dataset containing usernames, email addresses, display names, and time zones. The content consistently associates Hellcat with ransomware activity and with post-compromise behaviors reflected in detection content, including abuse of Windows utilities and living-off-the-land techniques such as netsh, regsvcs, rundll32, PowerShell, BITSAdmin, SQL Server stored procedures, suspicious named pipes, service stopping, process termination bursts, ransomware note creation, network share file-copy activity, and ESXi SSH brute-force activity. High-confidence targeting information in the content is limited, but Hellcat is explicitly tied to enterprise victimization and the JLR intrusion.

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

1 named in public reporting
Hellcat

In March, the HELLCAT ransomware group leaked 700 internal documents, purportedly part of a compromise of JLR's internal network using Jira credentials and also included development logs, source code, and a large employee dataset with usernames, email addresses, display names, and time zones, according to an analysis by threat intelligence firm Cyfirma.

Reporting

Research mentioning HellCat

Mar 26
Splunk Research

Detection: Processes launching netsh | Splunk Security Content

Associated Analytic Story ... Hellcat Ransomware ...

Feb 25
Splunk Research

Detection: High Process Termination Frequency | Splunk Security Content

Associated Analytic Story BlackByte Ransomware Clop Ransomware Crypto Stealer Hellcat Ransomware Interlock Ransomware LockBit Ransomware Medusa Ransomware NailaoLocker Ransomware Rhysida Ransomware Snake Keylogger Termite Ransomware

Feb 25
Splunk Research

Detection: Windows Disable or Stop Browser Process | Splunk Security Content

Associated Analytic Story Braodo Stealer [[URL_48af0601_56]] Castle RAT [[URL_48af0601_57]] Hellcat Ransomware [[URL_48af0601_58]] Scattered Lapsus$ Hunters [[URL_48af0601_59]]

Feb 25
Splunk Research

Detection: BITSAdmin Download File | Splunk Security Content

Associated Analytic Story ... Hellcat Ransomware

Feb 25
Splunk Research

Detection: Dump LSASS via comsvcs DLL | Splunk Security Content

Associated Analytic Story ... Hellcat Ransomware

Feb 25
Splunk Research

Detection: Windows Suspicious C2 Named Pipe | Splunk Security Content

Associated Analytic Story APT37 Rustonotto and FadeStealer, BlackByte Ransomware, Brute Ratel C4, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, Hellcat Ransomware, LockBit Ransomware, Meterpreter, Remote Monitoring and Management Software, Storm-0501 Ransomware, Trickbot, Tuoni

Feb 25
Splunk Research

Detection: Windows Security And Backup Services Stop | Splunk Security Content

Associated Analytic Story Hellcat Ransomware

Feb 25
Splunk Research

Detection: Processes launching netsh | Splunk Security Content

Associated Analytic Story Hellcat Ransomware

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.