Credential Theft
- Mimikatz
Helldown is a ransomware threat group active by at least late 2024 and described in May 2025 reporting as a rising ransomware group.
Profile source: Mallory opens in a new tabHelldown
Helldown is a ransomware threat group active by at least late 2024 and described in May 2025 reporting as a rising ransomware group. Reporting links Helldown to extortion activity targeting European SMEs through Zyxel firewalls, with observed intrusions completing from initial access to encryption in under 1.5 hours. In the documented campaign, attackers reportedly gained initial access through direct SSL VPN connections on Zyxel devices, moved laterally in a malware-less manner using Remote Desktop via mstsc.exe, modified Zyxel firewall ACL rules to flatten segmentation and aid discovery, manually harvested credentials including from Veeam-related files, used Veeam-Get-Creds.ps1 to extract credentials from Veeam’s encrypted database, and deployed ransomware directly on ESXi hosts to encrypt virtual disk images. Observed tooling associated with Helldown includes Mimikatz for credential theft, Advanced Port Scanner and Advanced IP Scanner for discovery, and HRSword during encryption operations to monitor compromised internal servers. Reporting also notes Helldown-linked ransom communications using helldows@onionmail[.]org and TOX ID 19A549A57160F384CF4E36EE1A24747ED99C623C48EA545F343296FB7092795D00875C94151E, with Helldown ransom notes circulating in the wild from 19 November 2024. The content further states that an earlier September 2024 extortion wave using the identifier unitui57 showed technical overlap with later Helldown activity, especially in ESXi tooling, suggesting evolving tactics or a shared threat cluster. Helldown is also mentioned alongside Hellcat in prior intrusion-chain reporting by TrueSec and Sekoia. The content states that Zyxel was reportedly compromised by Helldown in August 2024, with the gang claiming exfiltration of 253 GB of internal documents.
Ransomware.live
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.