In March, the HELLCAT ransomware group leaked 700 internal documents, purportedly part of a compromise of JLR's internal network using Jira credentials and also included development logs, source code, and a large employee dataset with usernames, email addresses, display names, and time zones, according to an analysis by threat intelligence firm Cyfirma.
HellCat
Hellcat is a ransomware group that emerged in mid-2024.
Profile source: Mallory opens in a new tabHellCat
Family profile
Hellcat is a ransomware group that emerged in mid-2024. The provided content states that its main operators are known to be senior members of the BreachForums community, and reporting by Cyfirma and Hudson Rock linked a hacker using the moniker "Rey" to the group. In March 2025, Hellcat was attributed with a significant compromise of Jaguar Land Rover (JLR): the group reportedly used Jira credentials to access JLR’s internal network and leaked 700 internal documents, including development logs, source code, and a large employee dataset containing usernames, email addresses, display names, and time zones. The content consistently associates Hellcat with ransomware activity and with post-compromise behaviors reflected in detection content, including abuse of Windows utilities and living-off-the-land techniques such as netsh, regsvcs, rundll32, PowerShell, BITSAdmin, SQL Server stored procedures, suspicious named pipes, service stopping, process termination bursts, ransomware note creation, network share file-copy activity, and ESXi SSH brute-force activity. High-confidence targeting information in the content is limited, but Hellcat is explicitly tied to enterprise victimization and the JLR intrusion.
Ransomware.live
Operational record
Reported operators
Threat actors
1 named in public reportingReporting
Research mentioning HellCat
Detection: Processes launching netsh | Splunk Security Content
Associated Analytic Story ... Hellcat Ransomware ...
Detection: High Process Termination Frequency | Splunk Security Content
Associated Analytic Story BlackByte Ransomware Clop Ransomware Crypto Stealer Hellcat Ransomware Interlock Ransomware LockBit Ransomware Medusa Ransomware NailaoLocker Ransomware Rhysida Ransomware Snake Keylogger Termite Ransomware
Detection: Windows Disable or Stop Browser Process | Splunk Security Content
Associated Analytic Story Braodo Stealer [[URL_48af0601_56]] Castle RAT [[URL_48af0601_57]] Hellcat Ransomware [[URL_48af0601_58]] Scattered Lapsus$ Hunters [[URL_48af0601_59]]
Detection: BITSAdmin Download File | Splunk Security Content
Associated Analytic Story ... Hellcat Ransomware
Detection: Dump LSASS via comsvcs DLL | Splunk Security Content
Associated Analytic Story ... Hellcat Ransomware
Detection: Windows Suspicious C2 Named Pipe | Splunk Security Content
Associated Analytic Story APT37 Rustonotto and FadeStealer, BlackByte Ransomware, Brute Ratel C4, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, Hellcat Ransomware, LockBit Ransomware, Meterpreter, Remote Monitoring and Management Software, Storm-0501 Ransomware, Trickbot, Tuoni
Detection: Windows Security And Backup Services Stop | Splunk Security Content
Associated Analytic Story Hellcat Ransomware
Detection: Processes launching netsh | Splunk Security Content
Associated Analytic Story Hellcat Ransomware