GitHub Repo

Analytics Story: Hellcat Ransomware

Updated Date: 2026-05-13 ID: 7165a44b-4978-48f1-bac1-6ddbe6fe31ca Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Hellcat is a Ransomware-as-a-Service (RaaS) group that emerged in Q4 2024, known for sophisticated attacks targeting critical infrastructure, telecommunications, government entities, and IT organizations. The group employs advanced techniques including PowerShell infection chains, SSH-based persistence, and custom ransomware payloads to compromise and encrypt victim systems.

Why it matters

Hellcat Ransomware represents a significant threat to organizations across multiple sectors. The group's operations begin with initial access through phishing campaigns and exploitation of public-facing application vulnerabilities, including known CVEs in Palo Alto PAN-OS software (CVE-2024-0012, CVE-2024-9474). Upon gaining access, Hellcat operators deploy sophisticated PowerShell infection chains to establish persistence, evade detection, and install command-and-control infrastructure. A distinctive characteristic of Hellcat's tactics is their use of SSH-based persistence mechanisms. Operators create new SSH users with administrative privileges and install unique SSH keys to maintain long-term access to compromised systems. They also deploy backdoor malware as a backup persistence mechanism if SSH access fails. For command and control, Hellcat leverages SliverC2 and Cobalt Strike frameworks, combined with custom infrastructure including domains like waifu[.]cat for data exfiltration. The group employs SFTP as their primary exfiltration mechanism, moving stolen data to attacker-controlled servers before deploying their custom ransomware payloads. Throughout their operations, Hellcat extensively uses Living-off-the-Land binaries (LOLBAS) and obfuscated PowerShell scripts to evade security controls. They also deploy information-stealing malware like LummaStealer to harvest credentials and sensitive data. Notable victims include Schneider Electric, Telefonica, Pinger, Israel's Knesset, Dell, and CapGemini. The group is led by founding member "Pryx" with other members including "Grep" who have been attributed to several high-profile attacks. Hellcat has demonstrated connections to other ransomware groups including Underground Team and Morpheus, suggesting a broader ecosystem of threat actors sharing tools and techniques. Organizations should implement robust security measures including PowerShell Script Block Logging, Sysmon monitoring, SSH activity monitoring, and EDR solutions to detect and respond to Hellcat ransomware activities.

Living Off The Land Detection

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
2  WHERE All_Risk.analyticstories="Living Off The Land" All_Risk.risk_object_type="system"
3  BY All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
4| `drop_dm_object_name(All_Risk)`
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| where source_count >= 5
8| `living_off_the_land_detection_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Ivanti VTM New Account Creation Exploit Public-Facing Application TTP
Windows Suspicious C2 Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication TTP
Linux Account Manipulation Of SSH Config and Keys File Deletion, Data Destruction Anomaly
Suspicious GPUpdate no Command Line Arguments Process Injection TTP
Cisco Secure Firewall - Repeated Malware Downloads Obfuscated Files or Information, Ingress Tool Transfer Anomaly
GPUpdate with no Command Line Arguments with Network Process Injection TTP
PowerShell Script Block With URL Chain PowerShell, Ingress Tool Transfer TTP
Linux Possible Ssh Key File Creation SSH Authorized Keys Anomaly
Ivanti EPM SQL Injection Remote Code Execution Exploit Public-Facing Application TTP
Windows Renamed Powershell Execution Rename Legitimate Utilities TTP
Windows MOVEit Transfer Writing ASPX External Remote Services, Exploit Public-Facing Application TTP
CrushFTP Authentication Bypass Exploitation PowerShell, Windows Command Shell, Exploit Public-Facing Application TTP
Windows Service Create SliverC2 Service Execution TTP
LOLBAS With Network Traffic Ingress Tool Transfer, System Binary Proxy Execution, Exfiltration Over Web Service TTP
AWS Exfiltration via DataSync Task Automated Collection TTP
MOVEit Empty Key Fingerprint Authentication Attempt Exploit Public-Facing Application Hunting
CrushFTP Server Side Template Injection Exploit Public-Facing Application TTP
High Process Termination Frequency Data Encrypted for Impact Anomaly
Detect Regasm with Network Connection Regsvcs/Regasm TTP
Linux SSH Authorized Keys Modification SSH Authorized Keys Anomaly
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
Azure AD New Federated Domain Added Trust Modification TTP
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Linux SSH Remote Services Script Execute SSH TTP
Nginx ConnectWise ScreenConnect Authentication Bypass Exploit Public-Facing Application TTP
Windows Suspicious Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication TTP
ESXi SSH Enabled SSH TTP
Conti Common Exec parameter User Execution TTP
Windows Exfiltration Over C2 Via Invoke RestMethod Exfiltration Over C2 Channel TTP
Jenkins Arbitrary File Read CVE-2024-23897 Exploit Public-Facing Application TTP
Detect WMI Event Subscription Persistence Windows Management Instrumentation Event Subscription TTP
Zscaler Phishing Activity Threat Blocked Phishing Anomaly
PowerShell Loading DotNET into Memory via Reflection PowerShell Anomaly
ESXi SSH Brute Force Brute Force Anomaly
SearchProtocolHost with no Command Line with Network Process Injection TTP
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted Non-C2 Protocol TTP
MacOS LOLbin Unix Shell TTP
Suspicious Rundll32 no Command Line Arguments Rundll32 TTP
Detect Empire with PowerShell Script Block Logging PowerShell TTP
Allow Network Discovery In Firewall Cloud Firewall TTP
Azure AD User ImmutableId Attribute Updated Account Manipulation TTP
Windows Cisco Secure Endpoint Related Service Stopped Inhibit System Recovery Anomaly
Powershell Processing Stream Of Data PowerShell TTP
Windows Steal Authentication Certificates CryptoAPI Steal or Forge Authentication Certificates Anomaly
Detect RClone Command-Line Usage Automated Exfiltration TTP
Dump LSASS via comsvcs DLL LSASS Memory TTP
Suspicious Curl Network Connection Ingress Tool Transfer TTP
File with Samsam Extension None TTP
Windows Screen Capture in TEMP folder Screen Capture TTP
Windows SQL Server Startup Procedure SQL Stored Procedures Anomaly
Powershell Fileless Process Injection via GetProcAddress Process Injection, PowerShell TTP
Common Ransomware Notes Data Destruction Hunting
Windows File Transfer Protocol In Non-Common Process Path Mail Protocols Anomaly
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution TTP
PowerShell 4104 Hunting PowerShell Hunting
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 External Remote Services, Exploit Public-Facing Application TTP
Windows BitLockerToGo with Network Activity System Binary Proxy Execution Hunting
Windows SSH Proxy Command PowerShell, Ingress Tool Transfer, Protocol Tunneling Anomaly
Ryuk Wake on LAN Command Windows Command Shell TTP
Linux Auditd Find Credentials From Password Stores Password Managers TTP
Windows Disable or Stop Browser Process Disable or Modify Tools TTP
Wsmprovhost LOLBAS Execution Process Spawn Windows Remote Management TTP
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
Svchost LOLBAS Execution Process Spawn Scheduled Task TTP
Processes launching netsh Disable or Modify System Firewall Anomaly
Trickbot Named Pipe Process Injection TTP
WordPress Bricks Builder plugin RCE Exploit Public-Facing Application TTP
Detect Regsvcs with Network Connection Regsvcs/Regasm TTP
Schedule Task with HTTP Command Arguments Scheduled Task/Job TTP
Suspicious Rundll32 StartW Rundll32 TTP
Malicious PowerShell Process With Obfuscation Techniques PowerShell TTP
High Volume of Bytes Out to Url Exfiltration Over Web Service Anomaly
Windows New InProcServer32 Added Modify Registry Hunting
Suspicious SearchProtocolHost no Command Line Arguments Process Injection TTP
BITSAdmin Download File Ingress Tool Transfer, BITS Jobs TTP
Services LOLBAS Execution Process Spawn Windows Service TTP
Allow File And Printing Sharing In Firewall Cloud Firewall TTP
Linux Auditd Data Transfer Size Limits Via Split Data Transfer Size Limits Anomaly
MacOS AMOS Stealer - Virtual Machine Check Activity AppleScript Anomaly
Linux Medusa Rootkit Rootkit, Credentials TTP
Windows Security And Backup Services Stop Inhibit System Recovery TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 Exploit Public-Facing Application TTP
Potential Telegram API Request Via CommandLine Exfiltration Over C2 Channel, Bidirectional Communication Anomaly
Windows Credentials Access via VaultCli Module Windows Credential Manager Anomaly
High Frequency Copy Of Files In Network Share Transfer Data to Cloud Account Anomaly
Windows Known GraphicalProton Loaded Modules DLL Anomaly
Linux Auditd Find Ssh Private Keys Private Keys Anomaly
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Ivanti VTM Audit Other ivanti_vtm_audit ivanti_vtm
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Cisco Secure Firewall Threat Defense File Event Other cisco:sfw:estreamer not_applicable
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Suricata Other suricata not_applicable
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrushFTP Other crushftp:sessionlogs crushftp
Windows Event Log System 7045 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
AWS CloudTrail CreateTask AWS icon AWS aws:cloudtrail aws_cloudtrail
Sysmon EventID 5 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Azure Active Directory Set domain authentication Azure icon Azure azure:monitor:aad Azure AD
Nginx Access Other nginx:plus:kv /var/log/nginx/access.log
VMWare ESXi Syslog Other vmw-syslog vmware:esxlog
Sysmon EventID 20 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Splunk Stream HTTP Splunk icon Splunk stream:http stream:http
Osquery Results Other osquery:results osquery
Azure Active Directory Update user Azure icon Azure azure:monitor:aad Azure AD
Windows Event Log System 7036 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Windows Event Log CAPI2 70 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Windows Event Log Application 17135 Windows icon Windows XmlWinEventLog XmlWinEventLog:Application
Palo Alto Network Threat Network icon Network pan:threat not_applicable
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Linux Auditd Execve Linux icon Linux auditd auditd
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 5145 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 2