Introduction
HellCat is a relatively recent ransomware group first observed in late 2024, known for its data-theft and extortion campaigns targeting high-profile organizations. It operates a double-extortion model, exfiltrating sensitive information and threatening to publish it on its Tor-based leak site if ransom demands are not met. The group has been linked to multiple significant breaches, including incidents involving Schneider Electric and Capgemini, where large volumes of corporate data were allegedly stolen. HellCat’s payloads and leak infrastructure suggest a custom-built platform rather than a widely shared RaaS, and some incidents have involved only data exposure without confirmed encryption events. The group has drawn attention for recruiting or collaborating with high-profile threat actors, including the persona “Grep,” who acts as a public representative in some extortion cases.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.