Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

HelloKitty

Also known ashellokitty

HelloKitty is a human-operated double-extortion ransomware operation active since November 2020. The group is known for hacking corporate networks, stealing data, and encrypting systems, then threatening to leak stolen data if victims do not pay. One of its most publicized attacks was the February 2021 attack on CD Projekt Red, during which the actors claimed to have stolen source code for Cyberpunk 2077, Witcher 3, Gwent, and other games. In summer 2021, the operation began using a Linux variant targeting VMware ESXi. Reported aliases or related variant names in the provided content include DeathRansom and Fivehands; the content also notes a possible association with Abyss Locker. The malware has been observed deleting volume shadow copies on compromised hosts to inhibit recovery. Multiple sources in the provided content state that HelloKitty later became defunct, that its source code leaked, and that Kraken emerged from the remnants of or as a continuation of the HelloKitty operation. The content also states that some Conti leaders and affiliates dispersed into other ransomware ecosystems including HelloKitty.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics3 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0010
Exfiltration
1 technique
T1537
Transfer Data to Cloud Account
TA0040
Impact
2 techniques
T1486×2
Data Encrypted for Impact
T1657
Financial Theft
ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
checkpoint research blogNews
May 13, 2026
Thus Spoke…The Gentlemen - Check Point Research

Referenced positively by The Gentlemen for brand strength and recognition rather than for specific operations.

Read more
the hacker newsNews
Jan 17, 2026
Black Basta Ransomware Leader Added to EU Most Wanted and INTERPOL Red Notice

Referenced as a ransomware group that some former Conti members allegedly joined after Conti’s retirement; described here as no longer active.

Read more
cyberthroneNews
Dec 1, 2025
TheCyberThrone CyberSecurity Newsletter Top 5 Articles – November 2025

HelloKitty is a defunct or diminished ransomware cartel, with remnants linked to the emergence of the Kraken ransomware operation.

Read more
talos intelligence blogNews
Nov 20, 2025
It’s not personal, it’s just business

Referenced as a ransomware cartel whose remnants are associated with the emergence of the Kraken group.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.