{ "id": "b4fc57fb-ce8d-4120-91c1-8a783b935fbe", "created_at": "2026-04-06T00:09:03.58749Z", "updated_at": "2026-04-10T03:37:51.327553Z", "deleted_at": null, "sha1_hash": "235107863eb27ed441f96600f0c21dc3c7eeb0ea", "title": "HelloKitty (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 67858, "plain_text": "HelloKitty (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 15:32:23 UTC\r\nelf.hellokitty (Back to overview)\r\nHelloKitty\r\nLinux version of the HelloKitty ransomware.\r\nReferences\r\n2022-09-28 ⋅ vmware ⋅ Giovanni Vigna\r\nESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)\r\nAvoslocker Babuk Black Basta BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit Luna\r\nRansomEXX RedAlert Ransomware REvil\r\n2022-07-08 ⋅ Sekoia ⋅ Threat \u0026 Detection Research Team\r\nVice Society: a discreet but steady double extortion ransomware group\r\nHelloKitty\r\n2022-07-08 ⋅ Sekoia ⋅ sekoia\r\nVice Society: a discreet but steady double extortion ransomware group\r\nHelloKitty Zeppelin\r\n2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands\r\nGozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix\r\nLocker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT\r\n2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)\r\nConti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered\r\nHelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID\r\n2022-02-09 ⋅ vmware ⋅ VMWare\r\nExposing Malware in Linux-Based Multi-Cloud Environments\r\nACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil\r\nSysrv-hello TeamTNT Vermilion Strike Cobalt Strike\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.hellokitty\r\nPage 1 of 2\n\n2021-12-30 ⋅ GovInfo Security ⋅ Mathew J. Schwartz\r\nVice Society: Ransomware Gang Disrupted Spar Stores\r\nHelloKitty\r\n2021-08-30 ⋅ CrowdStrike ⋅ Michael Dawson\r\nHypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware\r\nBabuk HelloKitty REvil\r\n2021-08-24 ⋅ Palo Alto Networks Unit 42 ⋅ Doel Santos, Ruchna Nigam\r\nRansomware Groups to Watch: Emerging Threats\r\nHelloKitty AvosLocker HelloKitty Hive LockBit\r\n2021-07-17 ⋅ soolidsnake ⋅ soolidsnake\r\nHelloKitty Linux version malware analysis\r\nHelloKitty\r\n2021-07-15 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nLinux version of HelloKitty ransomware targets VMware ESXi servers\r\nHelloKitty\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellokitty\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.hellokitty\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellokitty" ], "report_names": [ "elf.hellokitty" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434143, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/235107863eb27ed441f96600f0c21dc3c7eeb0ea.pdf", "text": "https://archive.orkl.eu/235107863eb27ed441f96600f0c21dc3c7eeb0ea.txt", "img": "https://archive.orkl.eu/235107863eb27ed441f96600f0c21dc3c7eeb0ea.jpg" } }