Hellcat

HellCat is a ransomware operation and broader cybercrime ecosystem active by at least 2024–2025. The content describes it as a structured operation in which roles are distributed across multiple actors rather than concentrated in a single identity, with an access layer supported by brokers and personas linked to the group. Known associated personas and aliases mentioned in the content include Rey, Hikki-Chan, Miyako, miyak0, MIYAK000, nastya-miyako, miya, and mommy. Rey is described in the content as linked to HellCat and potentially holding an administrative or coordinating role; one artifact labeled the account as a "HELLCAT Administrator." Miyako is described as an Initial Access Broker operating within the HellCat ecosystem and selling footholds rather than data. The group targeted enterprise organizations and industrial or manufacturing-adjacent victims. Victims explicitly mentioned in the content include Schneider Electric, Jaguar Land Rover (JLR), Ascom, and Affinitiv. HellCat claimed responsibility for a November 2024 intrusion into Schneider Electric, reportedly gaining access to internal Atlassian Jira systems via credentials harvested after an employee was infected with the Lumma infostealer. The reported Schneider Electric breach involved projects, issues, plugins, and more than 400,000 rows of user data totaling over 40 GB compressed. HellCat was also attributed in March 2025 reporting to a JLR breach in which the group leaked hundreds of gigabytes of data; reporting cited 700 leaked internal documents and additional data including development logs, source code, and employee information. The intrusion was described as leveraging compromised Jira credentials, including credentials associated with an LG Electronics employee, obtained via infostealer malware. HellCat also compromised Ascom’s technical ticketing infrastructure and exfiltrated approximately 44 GB of data including source code, project details, invoices, and confidential documents. Affinitiv is also named as a company targeted through the same Jira-credential tradecraft. The content consistently associates HellCat with credential theft-enabled intrusions, especially use of compromised Jira credentials harvested by infostealer malware such as Lumma. Reported access and post-access behaviors in the ecosystem include sale and brokering of initial access, acquisition of RCE, administrative or CLI-level access, firewall and FortiOS access, VPN entry points, data exfiltration, and ransomware deployment. Splunk analytic references in the content associate HellCat ransomware with SQL Server abuse and Windows certificate export activity, but the content does not directly state these were uniquely used by HellCat in confirmed incidents. The content also states that HellCat and Morpheus were essentially two distinct brands deploying identical ransomware payloads, indicating code or payload overlap that complicates attribution. One report notes Kai West was connected to GOLD PUMPKIN, also known as HELLCAT. Another source states the HellCat ransomware group reportedly shut down operations in May 2025.