Hellcat Ransomware Hits 4 Firms Using Infostealer-stolen Jira Credentials

Cybersecurity researchers astatine Hudson Rock person identified a caller activity of cyber attacks by nan HellCat ransomware group, this clip targeting 4 companies crossed nan United States and Europe. The communal thread? Stolen Jira credentials, extracted by infostealer malware agelong earlier nan existent breaches took place.

Who Got Hit

On April 5, 2025, HellCat posted impervious of nan breaches to their leak site, complete pinch countdown timers and their signature “Jiraware < < 3!!” tagline. According to their posts, they’ve stolen soul files, emails, and financial records, and they’re threatening to leak aliases waste nan information if nan companies don’t meet their demands.

The caller victims include:

• Asseco Poland (Poland) – a awesome IT solutions provider
• HighWire Press (USA) – a level serving scholarly publishers
• Racami (USA) – a patient focused connected customer communications tech
• LeoVegas Group (Sweden) – an online gaming and betting company

How They Got In

According to Hudson Rock’s report shared pinch Hackread.com, nan institution traced each 1 of these breaches backmost to nan aforesaid guidelines cause: Jira credentials stolen by infostealer malware. These malware variants, StealC, Raccoon, Redline, and Lumma Stealer, harvested login info from infected worker machines months (sometimes years) earlier nan existent attacks.

Once HellCat sewage their hands connected those credentials, they logged into each company’s Atlassian Jira environment. From there, they moved done soul systems, grabbed delicate data, and kicked disconnected their emblematic ransomware process.

This isn’t a caller maneuver for them. HellCat has antecedently utilized nan aforesaid method to breach Jaguar Land Rover, Telefonica, Schneider Electric, and Orange, among others. It’s a pattern: find credentials successful infostealer logs, entree Jira, exfiltrate data, and request ransom.

Compromised infrastructure of US-based patient Racami (Screenshot: Hudson Rock)

It’s besides worthy pointing retired that a recent report from Hudson Rock besides revealed really infostealers, immoderate sold for arsenic small arsenic $10, person compromised captious infrastructure worldwide. Even much concerning, nan affected systems see worker machines astatine nan FBI, Lockheed Martin, Honeywell, and branches of nan US military.

Why Jira?

Jira is much than conscionable a task guidance tool. In galore companies, it’s nan main strategy connected to improvement workflows, customer data, soul documentation, and strategy entree controls. If attackers tin get into Jira, they tin often get into conscionable astir everything else.

That’s precisely what makes it specified a high-value target for ransomware groups for illustration HellCat. And because galore organizations don’t dainty Jira accounts pinch nan aforesaid level of information as, say, email aliases VPN access, it becomes an easy triumph for attackers.

The Bigger Problem: Infostealers

Researchers judge that HellCat’s modus operandi only useful because infostealer malware infect personification devices and bargain saved logins, cookies, convention tokens, and more. The information is either sold connected acheronian web markets aliases utilized straight by groups for illustration HellCat.

Hudson Rock’s ain data, based connected complete 30 cardinal infected systems, shows that thousands of companies person Jira-related credentials stored successful infostealer logs. In these latest cases, nan stolen credentials were conscionable sitting there, unmonitored and unchanged, giving HellCat each nan clip it needed to hole nan breach.

What Companies Should Be Doing

There are immoderate steps companies tin return to trim nan consequence of attacks for illustration these. First, it’s important to show for infostealer infections utilizing devices that tin emblem stolen credentials earlier they’re used. If immoderate signs of malware show up, compromised logins should beryllium reset immediately, entree reviewed, and suspicious activity tracked closely.

Jira, successful particular, needs to beryllium locked down pinch multi-factor authentication, restricted access, and due web segmentation to limit really acold an attacker tin get if they break in. And since galore of these infections commencement pinch phishing aliases bad downloads, regular worker training goes a agelong measurement successful preventing them successful nan first place.

Nevertheless, HellCat isn’t doing thing retired of nan container because they don’t person to. As agelong arsenic organizations time off stolen credentials unchecked and support utilizing single-layer authentication for devices for illustration Jira, groups for illustration HellCat will support taking over.