{
	"id": "29961923-c7bd-4eff-adee-15621fc3107b",
	"created_at": "2026-04-06T00:22:31.582285Z",
	"updated_at": "2026-04-10T13:12:07.963119Z",
	"deleted_at": null,
	"sha1_hash": "f2ed9c9aa3a4a78d97cd770e738dee0acb942639",
	"title": "HelloKitty ransomware source code leaked on hacking forum",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3299262,
	"plain_text": "HelloKitty ransomware source code leaked on hacking forum\r\nBy Lawrence Abrams\r\nPublished: 2023-10-09 · Archived: 2026-04-05 19:03:15 UTC\r\nA threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking\r\nhacking forum, claiming to be developing a new, more powerful encryptor.\r\nThe leak was first discovered by cybersecurity researcher 3xp0rt, who spotted a threat actor named 'kapuchin0' releasing the\r\n\"first branch\" of the HelloKitty ransomware encryptor.\r\nForum post leaking HelloKitty encryptor\r\nSource: 3xp0rt\r\nWhile the source code was released by someone named 'kapuchin0,' 3xp0rt told BleepingComputer that the threat actor also\r\nutilizes the alias 'Gookee.'\r\nhttps://www.bleepingcomputer.com/news/security/hellokitty-ransomware-source-code-leaked-on-hacking-forum/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hellokitty-ransomware-source-code-leaked-on-hacking-forum/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nA threat actor named Gookee has been previously associated with malware and hacking activity, attempting to sell access to\r\nSony Network Japan in 2020, linked to a Ransomware-as-a-Service operation called 'Gookee Ransomware,' and trying to\r\nsell malware source code on a hacker forum.\r\n3xp0rt believes kapuchin0/Gookee is the developer of the HelloKitty ransomware, who now says, \"We are preparing a new\r\nproduct and much more interesting than Lockbit.\"\r\nThe released hellokitty.zip archive contains a Microsoft Visual Studio solution that builds the HelloKitty encryptor and\r\ndecryptor and the NTRUEncrypt library that this version of the ransomware uses to encrypt files.\r\nHelloKitty source code\r\nSource: BleepingComputer\r\nRansomware expert Michael Gillespie confirmed to BleepingComputer that this is the legitimate source code for HelloKitty\r\nused when the ransomware operation first launched in 2020.\r\nhttps://www.bleepingcomputer.com/news/security/hellokitty-ransomware-source-code-leaked-on-hacking-forum/\r\nPage 3 of 5\n\nPart of the encryption code for HelloKitty\r\nSource: BleepingComputer\r\nWhile the release of ransomware source code can be helpful for security research, the public availability of this code does\r\nhave its drawbacks.\r\nAs we saw when HiddenTear was released (for \"educational reasons\") and Babuk ransomware source code was\r\nreleased, threat actors quickly used the code to launch their own extortion operations.\r\nTo this day, over nine ransomware operations continue using the Babuk source code as the basis for their own encryptors.\r\nWho is HelloKitty?\r\nHelloKity is a human-operated ransomware operation active since November 2020 when a victim posted to the\r\nBleepingComputer forums, with the FBI later releasing a PIN (private industry notification) on the group in January 2021.\r\nThe gang is known for hacking corporate networks, stealing data, and encrypting systems. The encrypted files and stolen\r\ndata are then utilized as leverage in double-extortion machines, where the threat actors threaten to leak data if a ransom is\r\nnot paid.\r\nHelloKitty is known for numerous attacks and is used by other ransomware operations, but their most publicized attack was\r\nthe one on CD Projekt Red in February 2021.\r\nDuring this attack, the threat actors claimed to have stolen Cyberpunk 2077, Witcher 3, Gwent, and other games' source\r\ncode, which they claimed was sold.\r\nHelloKitty ransom note from CD Projekt Red attack\r\nhttps://www.bleepingcomputer.com/news/security/hellokitty-ransomware-source-code-leaked-on-hacking-forum/\r\nPage 4 of 5\n\nIn the Summer of 2021, the ransomware group began utilizing a Linux variant that targets the VMware ESXi virtual\r\nmachine platform.\r\nThe HelloKitty ransomware or its variants have also been used under other names, including DeathRansom, Fivehands, and\r\npossibly, Abyss Locker.\r\nThe FBI shared an extensive collection of indicators of compromise (IOCs) in their 2021 advisory to help cybersecurity\r\nprofessionals and system admins guard against attack attempts coordinated by the HelloKitty ransomware gang.\r\nHowever, as the encryptor has changed over time, these IOCs have likely become outdated.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-source-code-leaked-on-hacking-forum/\r\nhttps://www.bleepingcomputer.com/news/security/hellokitty-ransomware-source-code-leaked-on-hacking-forum/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-source-code-leaked-on-hacking-forum/"
	],
	"report_names": [
		"hellokitty-ransomware-source-code-leaked-on-hacking-forum"
	],
	"threat_actors": [],
	"ts_created_at": 1775434951,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f2ed9c9aa3a4a78d97cd770e738dee0acb942639.pdf",
		"text": "https://archive.orkl.eu/f2ed9c9aa3a4a78d97cd770e738dee0acb942639.txt",
		"img": "https://archive.orkl.eu/f2ed9c9aa3a4a78d97cd770e738dee0acb942639.jpg"
	}
}