GitHub Repo

Analytics Story: Hellcat Ransomware

Date: 2025-10-14 ID: 7165a44b-4978-48f1-bac1-6ddbe6fe31ca Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Hellcat is a Ransomware-as-a-Service (RaaS) group that emerged in Q4 2024, known for sophisticated attacks targeting critical infrastructure, telecommunications, government entities, and IT organizations. The group employs advanced techniques including PowerShell infection chains, SSH-based persistence, and custom ransomware payloads to compromise and encrypt victim systems.

Why it matters

Hellcat Ransomware represents a significant threat to organizations across multiple sectors. The group's operations begin with initial access through phishing campaigns and exploitation of public-facing application vulnerabilities, including known CVEs in Palo Alto PAN-OS software (CVE-2024-0012, CVE-2024-9474). Upon gaining access, Hellcat operators deploy sophisticated PowerShell infection chains to establish persistence, evade detection, and install command-and-control infrastructure. A distinctive characteristic of Hellcat's tactics is their use of SSH-based persistence mechanisms. Operators create new SSH users with administrative privileges and install unique SSH keys to maintain long-term access to compromised systems. They also deploy backdoor malware as a backup persistence mechanism if SSH access fails. For command and control, Hellcat leverages SliverC2 and Cobalt Strike frameworks, combined with custom infrastructure including domains like waifu[.]cat for data exfiltration. The group employs SFTP as their primary exfiltration mechanism, moving stolen data to attacker-controlled servers before deploying their custom ransomware payloads. Throughout their operations, Hellcat extensively uses Living-off-the-Land binaries (LOLBAS) and obfuscated PowerShell scripts to evade security controls. They also deploy information-stealing malware like LummaStealer to harvest credentials and sensitive data. Notable victims include Schneider Electric, Telefonica, Pinger, Israel's Knesset, Dell, and CapGemini. The group is led by founding member "Pryx" with other members including "Grep" who have been attributed to several high-profile attacks. Hellcat has demonstrated connections to other ransomware groups including Underground Team and Morpheus, suggesting a broader ecosystem of threat actors sharing tools and techniques. Organizations should implement robust security measures including PowerShell Script Block Logging, Sysmon monitoring, SSH activity monitoring, and EDR solutions to detect and respond to Hellcat ransomware activities.

Living Off The Land Detection

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Living Off The Land" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `living_off_the_land_detection_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
CrushFTP Server Side Template Injection Exploit Public-Facing Application TTP
ESXi SSH Brute Force Brute Force Anomaly
ESXi SSH Enabled SSH TTP
Ivanti VTM New Account Creation Exploit Public-Facing Application TTP
AWS Exfiltration via DataSync Task Automated Collection TTP
Azure AD New Federated Domain Added Trust Modification TTP
Azure AD User ImmutableId Attribute Updated Account Manipulation TTP
Allow File And Printing Sharing In Firewall Disable or Modify Cloud Firewall TTP
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall TTP
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
Cobalt Strike Named Pipes Process Injection TTP
Common Ransomware Notes Data Destruction Hunting
Conti Common Exec parameter User Execution TTP
Detect Empire with PowerShell Script Block Logging PowerShell TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect Regasm with Network Connection Regsvcs/Regasm TTP
Detect Regsvcs with Network Connection Regsvcs/Regasm TTP
Detect WMI Event Subscription Persistence Windows Management Instrumentation Event Subscription TTP
Dump LSASS via comsvcs DLL LSASS Memory TTP
File with Samsam Extension None TTP
GPUpdate with no Command Line Arguments with Network Process Injection TTP
High Frequency Copy Of Files In Network Share Transfer Data to Cloud Account Anomaly
High Process Termination Frequency Data Encrypted for Impact Anomaly
Linux Account Manipulation Of SSH Config and Keys File Deletion, Data Destruction Anomaly
Linux Auditd Data Transfer Size Limits Via Split Data Transfer Size Limits Anomaly
Linux Auditd Find Credentials From Password Stores Password Managers TTP
Linux Auditd Find Ssh Private Keys Private Keys Anomaly
Linux Medusa Rootkit Rootkit, Credentials TTP
Linux Possible Ssh Key File Creation SSH Authorized Keys Anomaly
Linux SSH Authorized Keys Modification SSH Authorized Keys Anomaly
Linux SSH Remote Services Script Execute SSH TTP
LOLBAS With Network Traffic Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution TTP
MacOS AMOS Stealer - Virtual Machine Check Activity AppleScript Anomaly
MacOS LOLbin Unix Shell TTP
Malicious PowerShell Process With Obfuscation Techniques PowerShell TTP
MOVEit Empty Key Fingerprint Authentication Attempt Exploit Public-Facing Application Hunting
Potential Telegram API Request Via CommandLine Bidirectional Communication, Exfiltration Over C2 Channel Anomaly
PowerShell 4104 Hunting PowerShell Hunting
Powershell Fileless Process Injection via GetProcAddress Process Injection, PowerShell TTP
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
PowerShell Loading DotNET into Memory via Reflection PowerShell Anomaly
Powershell Processing Stream Of Data PowerShell TTP
PowerShell Script Block With URL Chain PowerShell, Ingress Tool Transfer TTP
Processes launching netsh Disable or Modify System Firewall Anomaly
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Ryuk Wake on LAN Command Windows Command Shell TTP
Schedule Task with HTTP Command Arguments Scheduled Task/Job TTP
SearchProtocolHost with no Command Line with Network Process Injection TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
Services LOLBAS Execution Process Spawn Windows Service TTP
Suspicious Curl Network Connection Ingress Tool Transfer TTP
Suspicious GPUpdate no Command Line Arguments Process Injection TTP
Suspicious Rundll32 no Command Line Arguments Rundll32 TTP
Suspicious Rundll32 StartW Rundll32 TTP
Suspicious SearchProtocolHost no Command Line Arguments Process Injection TTP
Svchost LOLBAS Execution Process Spawn Scheduled Task TTP
Trickbot Named Pipe Process Injection TTP
Windows BitLockerToGo with Network Activity System Binary Proxy Execution Hunting
Windows Cisco Secure Endpoint Related Service Stopped Inhibit System Recovery Anomaly
Windows Credentials Access via VaultCli Module Windows Credential Manager Anomaly
Windows Disable or Stop Browser Process Disable or Modify Tools TTP
Windows Exfiltration Over C2 Via Invoke RestMethod Exfiltration Over C2 Channel TTP
Windows File Transfer Protocol In Non-Common Process Path Mail Protocols Anomaly
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows Known GraphicalProton Loaded Modules DLL Anomaly
Windows MOVEit Transfer Writing ASPX Exploit Public-Facing Application, External Remote Services TTP
Windows New InProcServer32 Added Modify Registry Hunting
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution TTP
Windows Renamed Powershell Execution Rename Legitimate Utilities TTP
Windows Screen Capture in TEMP folder Screen Capture TTP
Windows Security And Backup Services Stop Inhibit System Recovery TTP
Windows Service Create SliverC2 Service Execution TTP
Windows SQL Server Startup Procedure SQL Stored Procedures Anomaly
Windows SSH Proxy Command Protocol Tunneling, PowerShell, Ingress Tool Transfer Anomaly
Windows Steal Authentication Certificates CryptoAPI Steal or Forge Authentication Certificates Anomaly
Wsmprovhost LOLBAS Execution Process Spawn Windows Remote Management TTP
Cisco Secure Firewall - Repeated Malware Downloads Ingress Tool Transfer, Obfuscated Files or Information Anomaly
CrushFTP Authentication Bypass Exploitation Exploit Public-Facing Application, Windows Command Shell, PowerShell TTP
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 Exploit Public-Facing Application, External Remote Services TTP
High Volume of Bytes Out to Url Exfiltration Over Web Service Anomaly
Ivanti EPM SQL Injection Remote Code Execution Exploit Public-Facing Application TTP
Jenkins Arbitrary File Read CVE-2024-23897 Exploit Public-Facing Application TTP
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 Exploit Public-Facing Application TTP
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted Non-C2 Protocol TTP
Nginx ConnectWise ScreenConnect Authentication Bypass Exploit Public-Facing Application TTP
WordPress Bricks Builder plugin RCE Exploit Public-Facing Application TTP
Zscaler Phishing Activity Threat Blocked Phishing Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
AWS CloudTrail CreateTask AWS icon AWS aws:cloudtrail aws_cloudtrail
Azure Active Directory Set domain authentication Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Update user Azure icon Azure azure:monitor:aad Azure AD
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Cisco Secure Firewall Threat Defense File Event N/A cisco:sfw:estreamer not_applicable
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
CrushFTP N/A crushftp:sessionlogs crushftp
Ivanti VTM Audit N/A ivanti_vtm_audit ivanti_vtm
Linux Auditd Execve Linux icon Linux auditd auditd
Nginx Access N/A nginx:plus:kv /var/log/nginx/access.log
Palo Alto Network Threat Network icon Network pan:threat pan:threat
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Splunk Stream HTTP Splunk icon Splunk stream:http stream:http
Suricata N/A suricata suricata
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 20 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
VMWare ESXi Syslog N/A vmw-syslog vmware:esxlog
Windows Event Log Application 17135 Windows icon Windows XmlWinEventLog XmlWinEventLog:Application
Windows Event Log CAPI2 70 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log System 7036 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Windows Event Log System 7045 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
osquery N/A osquery:results osquery

References

Source: GitHub | Version: 1