Helldown is a ransomware threat group active by at least late 2024 and described in May 2025 reporting as a rising ransomware group. Reporting links Helldown to extortion activity targeting European SMEs through Zyxel firewalls, with observed intrusions completing from initial access to encryption in under 1.5 hours. In the documented campaign, attackers reportedly gained initial access through direct SSL VPN connections on Zyxel devices, moved laterally in a malware-less manner using Remote Desktop via mstsc.exe, modified Zyxel firewall ACL rules to flatten segmentation and aid discovery, manually harvested credentials including from Veeam-related files, used Veeam-Get-Creds.ps1 to extract credentials from Veeam’s encrypted database, and deployed ransomware directly on ESXi hosts to encrypt virtual disk images. Observed tooling associated with Helldown includes Mimikatz for credential theft, Advanced Port Scanner and Advanced IP Scanner for discovery, and HRSword during encryption operations to monitor compromised internal servers. Reporting also notes Helldown-linked ransom communications using helldows@onionmail[.]org and TOX ID 19A549A57160F384CF4E36EE1A24747ED99C623C48EA545F343296FB7092795D00875C94151E, with Helldown ransom notes circulating in the wild from 19 November 2024. The content further states that an earlier September 2024 extortion wave using the identifier unitui57 showed technical overlap with later Helldown activity, especially in ESXi tooling, suggesting evolving tactics or a shared threat cluster. Helldown is also mentioned alongside Hellcat in prior intrusion-chain reporting by TrueSec and Sekoia. The content states that Zyxel was reportedly compromised by Helldown in August 2024, with the gang claiming exfiltration of 253 GB of internal documents.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
6 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Rising ransomware group; noted using credential theft and scanning tooling.
Ransomware/extortion operations targeting European SMEs via Zyxel SSL VPN access, using rapid hands-on-keyboard intrusion, malware-less lateral movement, credential harvesting, firewall ACL changes, and ESXi encryption. The later wave is explicitly attributed to Helldown, and the report assesses the earlier September ESXi locker activity as likely attributable to the same organization.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.