{
	"id": "05031890-f4df-4545-b577-d05ca9e88fd8",
	"created_at": "2026-04-06T00:07:53.587306Z",
	"updated_at": "2026-04-10T03:36:17.346095Z",
	"deleted_at": null,
	"sha1_hash": "d5cb48dc22eeb87afad9a87ca70e9a939ae80016",
	"title": "HelloGookie. HelloKitty. Hello, LockBit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71403,
	"plain_text": "HelloGookie. HelloKitty. Hello, LockBit\r\nBy Barracuda Networks\r\nPublished: 2024-04-24 · Archived: 2026-04-05 13:17:32 UTC\r\nIn yet another ransomware rebrand, the operator of the defunct HelloKitty operation has launched a new threat\r\ncalled ‘HelloGookie.’ The new name likely comes from one of the operator's nicknames, ‘Guki’ or ‘Gookee.’ He\r\nalso uses the name ‘Kapuchin0,’ which he seems to prefer when posting to forums.\r\nHelloGookie\r\nHelloGookie has already published two attacks on a leak site, but the attacks aren’t current. These posts reference\r\nattacks from 2021 and 2022 in which HelloKitty was either attributed or named as a possible affiliated actor.\r\nUnlike the typical threat actor rebrand, HelloGookie hasn't tried to hide its past. \r\nHelloKitty\r\nResearchers first observed HelloKitty ransomware in late 2020. The first big target was Brazilian energy company\r\nCEMIG (Companhia Energética de Minas Gerais), which announced on Facebook that it had been the victim of a\r\nransomware attack. Here’s a portion of the note left behind:\r\nIn February 2021, CD Projekt Red (CDPR) announced that it had been the victim of an unknown threat actor.\r\nCDPR develops popular role-playing games like The Witcher and Cyberpunk 2077.  Many people thought a\r\ndisgruntled gamer had launched the attack, or that CDPR was faking the threat to distract the public from flaws in\r\nits newly released game. Researchers quickly pushed back on this narrative, and it was later confirmed that\r\nHelloKitty was auctioning off the stolen CDPR data. Throughout 2021 the operator expanded attack capabilities\r\nby adding a Linux variant and a distributed denial-of-service (DDoS) threat. The additional threat of a DDoS\r\nattack elevated HelloKitty from a double-extortion to a triple-extortion threat actor. HelloKitty conducted\r\naggressive campaigns against SonicWall CVEs in June 2021, and was named as part of a Cisco breach in May\r\n2022.  \r\nOn October 6, 2023, Kapuchin0/Gookie/Guki shut down the HelloKitty operation. He gave away his\r\nransomware and took a passing shot at LockBit on his way out.\r\nHelloKitty family tree\r\nHelloKitty is reported to be a rebuild of DeathRansom, which was only bluff ransomware when it was first\r\nobserved in 2019. Bluff ransomware is also called fake ransomware because it there’s no real file encryption,\r\nthough there is usually a file locker that disrupts access to the files. File lockers are malware that targets the\r\noperating system functions and not the files.  For example, there could be a lock screen on the workstation that\r\nprevents a user from interacting with the computer, or the files on a computer could be restricted with modified\r\nsystem permissions. DeathRansom didn’t even have a file locker when it first appeared. It simply renamed the\r\nhttps://blog.barracuda.com/2024/04/24/hellokitty--hellogookie--hello--lockbit\r\nPage 1 of 4\n\nfiles and left a ransom note. However, it was only a few weeks after their first attacks that DeathRansom became a\r\nfully operational ransomware threat. DeathRansom activity died down after a period of aggressive research into\r\nthe group, though that may have been coincidental and not due to the results of the investigation.\r\nHelloKitty has also been closely linked with FiveHands ransomware, which is also a novel rewrite of\r\nDeathRansom. FiveHands was a ransomware-as-a-service (RaaS) operation that also developed Thieflock\r\nransomware. The operators of Thieflock were later linked to a newer group, Yanluowang ransomware. We’ll come\r\nback to Yanluowang in a minute.\r\nAlthough HelloKitty was mentioned in the 2022 Cisco breach, that attack was formally attributed to an affiliate of\r\nUNC2447, Lapsus$, and Yanluowang. Cisco security teams detected the breach and purged the threat before\r\nransomware could be deployed. Since there was no ransomware to analyze for this incident, Cisco teams reported\r\non the known past behavior of threat actor UNC2447, saying it has consistently used “a variety of ransomware,\r\nincluding FIVEHANDS, HELLOKITTY, and more.”\r\nIn separate research on the 2021 SonicWall attacks, Mandiant researchers noted,\r\nBased on technical and temporal observations of HELLOKITTY and FIVEHANDS deployments, Mandiant\r\nsuspects that HELLOKITTY may have been used by an overall affiliate program from May 2020 through\r\nDecember 2020, and FIVEHANDS since approximately January 2021.\r\nMandiant has also published detailed comparisons of HelloKitty, FiveHands, and DeathRansom.\r\nNow back to Yanluowang. This was a ransomware-as-a-service (RaaS) group that targeted U.S. companies of all\r\ntypes but primarily focused on financial companies. Threat actor ‘Saint’ represented Yanluowang in the crime\r\nforums and private messaging.  In October 2022 the private chatlogs of Yanluowang were leaked to the public,\r\nrevealing many new insights into the group. The interesting part for us is that Guki of HelloKitty was one of the\r\nmost active members in the Yanluowang logs. One of the conversations included Guki asking Saint for assistance\r\nwith future attacks. HelloKitty was ‘human-operated’ ransomware, and Guki didn’t have the manpower to\r\nleverage all the working credentials in his arsenal. Yanluowang was a RaaS group that could either buy his assets\r\nor give him a cut of any ransom collected through his data.\r\nThe Yanluowang group and Saint went quiet after the leak of the chatlogs in 2022.\r\nHello, LockBit\r\nAnd now we are back to those HelloGookie forum posts.\r\nGookee/Guki/Kapuchin0 has been posting on the forums since at least early March 2024. A researcher (@3xp0rt)\r\ncaptured some of the posts: \r\nI’ve redacted URLs and some language, but most of the content is intact here. The March 18 message is looking\r\nfor ‘large, interesting targets, for experience I have.’ The March 25 message asks for a message from\r\nYanluowang/Saint, possibly to discuss future collaboration. It also calls out LockBit again. Threat Intelligence\r\nAnalyst Alexander Leslie explained the relationships between ransomware operators in a recent webinar:\r\nhttps://blog.barracuda.com/2024/04/24/hellokitty--hellogookie--hello--lockbit\r\nPage 2 of 4\n\n“… all of these major ransomware groups, they make money off of each other. They all share affiliates, they all\r\nshare infrastructure. They're all attacking some of the same victims at the same times. They're all using the same\r\nforums. They're all in private chats with each other. Yes, there is animosity at times, especially when an affiliate\r\nwill double post victims on two different blogs, right, that actually does cause a bit of a rift between the affiliate\r\nand the group or between two groups. Yes, there is issues about market share about deals that they have with\r\ncertain tool providers. But those disputes, again, are relatively surface level compared to traditional forms of\r\ncrime, because it's in ransomware’s best interest that nobody is taken down, that nobody has a significant\r\ndisruption either internally or by law enforcement, because all of them staying in business means more and better\r\nbusiness for every other ransomware group.”\r\nOn April 22, 2024, Gookee/Guki/Kapuchin0 posted a ‘help wanted’ ad for someone to make phone calls to\r\nransomware targets:\r\nRecruiting a caller means HelloGookie is likely to employ voice phishing, or vishing. This is interesting because\r\nvishing was used in the 2022 Cisco attack:\r\nThe attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted\r\norganizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications\r\ninitiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them\r\naccess to VPN in the context of the targeted user.\r\nHuman-operated ransomware attacks like HelloKitty and presumably, HelloGookie, are very dangerous to the\r\norganization. This Microsoft document explains the higher risk associated with skilled criminals conducting\r\nreconnaissance and directing the attack. \r\nWhen combined with tactics like vishing and MFA fatigue, these attacks can be very effective at gaining access\r\nand elevating privileges.\r\nAssume the threat is real.\r\nIt’s possible that Guki/Gookee/Kapuchin0 has no new attack and is just trying to get attention. You can’t believe\r\nanything that any of these criminals say, and HelloGookie hasn’t listed any new victims yet. When new victims\r\nare listed, they might not even be victims of HelloGookie attacks. Sometimes threat actors just repost someone\r\nelse’s victims. But if the HelloKitty operator is back with better software, and he’s connecting with old friends like\r\nSaint, and he’s getting a caller into his operation … that’s a legitimate risk. And even though the HelloKitty family\r\ntree looks like Harry Lauder’s walking stick, you can find a seven year path of potential cybercrime experience as\r\nthese malware strains are reborn and threat actors move between groups. \r\nWe don't know with certainty that HelloGookie will be a real threat, but this is another example of why you should\r\nadopt a Zero Trust mindset. Verify everything, including phone calls and multi-factor authentication prompts.\r\nDefend all of your threat vectors with comprehensive, multi-layered security, and make sure your users have\r\nsecurity awareness training. \r\nBarracuda can help  \r\nhttps://blog.barracuda.com/2024/04/24/hellokitty--hellogookie--hello--lockbit\r\nPage 3 of 4\n\nOnly Barracuda provides multi-faceted protection that covers all the major threat vectors, protects your data, and\r\nautomates incident response. Over 200,000 customers worldwide count on Barracuda to protect their email,\r\nnetworks, applications, and data. Visit our website to explore our comprehensive cybersecurity platform.\r\nSource: https://blog.barracuda.com/2024/04/24/hellokitty--hellogookie--hello--lockbit\r\nhttps://blog.barracuda.com/2024/04/24/hellokitty--hellogookie--hello--lockbit\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.barracuda.com/2024/04/24/hellokitty--hellogookie--hello--lockbit"
	],
	"report_names": [
		"hellokitty--hellogookie--hello--lockbit"
	],
	"threat_actors": [
		{
			"id": "be5097b2-a70f-490f-8c06-250773692fae",
			"created_at": "2022-10-27T08:27:13.22631Z",
			"updated_at": "2026-04-10T02:00:05.311385Z",
			"deleted_at": null,
			"main_name": "LAPSUS$",
			"aliases": [
				"LAPSUS$",
				"DEV-0537",
				"Strawberry Tempest"
			],
			"source_name": "MITRE:LAPSUS$",
			"tools": [
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d4b9608d-af69-43bc-a08a-38167ac6306a",
			"created_at": "2023-01-06T13:46:39.335061Z",
			"updated_at": "2026-04-10T02:00:03.291149Z",
			"deleted_at": null,
			"main_name": "LAPSUS",
			"aliases": [
				"Lapsus",
				"LAPSUS$",
				"DEV-0537",
				"SLIPPY SPIDER",
				"Strawberry Tempest",
				"UNC3661"
			],
			"source_name": "MISPGALAXY:LAPSUS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "065b7ea2-5920-4270-824e-94ea8a79d197",
			"created_at": "2023-12-08T02:00:05.747632Z",
			"updated_at": "2026-04-10T02:00:03.492858Z",
			"deleted_at": null,
			"main_name": "UNC2447",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC2447",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2347282d-6b88-4fbe-b816-16b156c285ac",
			"created_at": "2024-06-19T02:03:08.099397Z",
			"updated_at": "2026-04-10T02:00:03.663831Z",
			"deleted_at": null,
			"main_name": "GOLD RAINFOREST",
			"aliases": [
				"Lapsus$",
				"Slippy Spider ",
				"Strawberry Tempest "
			],
			"source_name": "Secureworks:GOLD RAINFOREST",
			"tools": [
				"Mimikatz"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b",
			"created_at": "2022-10-25T16:07:24.503878Z",
			"updated_at": "2026-04-10T02:00:05.014316Z",
			"deleted_at": null,
			"main_name": "Lapsus$",
			"aliases": [
				"DEV-0537",
				"G1004",
				"Slippy Spider",
				"Strawberry Tempest"
			],
			"source_name": "ETDA:Lapsus$",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51",
			"created_at": "2022-10-25T16:07:24.35977Z",
			"updated_at": "2026-04-10T02:00:04.953882Z",
			"deleted_at": null,
			"main_name": "UNC2447",
			"aliases": [],
			"source_name": "ETDA:UNC2447",
			"tools": [
				"7-Zip",
				"AdFind",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DEATHRANSOM",
				"DeathRansom",
				"FIVEHANDS",
				"FOXGRABBER",
				"HELLOKITTY",
				"HelloKitty",
				"KittyCrypt",
				"Mimikatz",
				"PCHUNTER",
				"RCLONE",
				"ROUTERSCAN",
				"Ragnar Locker",
				"RagnarLocker",
				"Rclone",
				"S3BROWSER",
				"SombRAT",
				"Thieflock",
				"WARPRISM",
				"cobeacon",
				"deathransom",
				"wacatac"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434073,
	"ts_updated_at": 1775792177,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d5cb48dc22eeb87afad9a87ca70e9a939ae80016.pdf",
		"text": "https://archive.orkl.eu/d5cb48dc22eeb87afad9a87ca70e9a939ae80016.txt",
		"img": "https://archive.orkl.eu/d5cb48dc22eeb87afad9a87ca70e9a939ae80016.jpg"
	}
}