Cybersecurity researchers at Hudson Rock have recognized a brand new wave of cyber assaults by the HellCat ransomware group, this time concentrating on 4 firms throughout america and Europe. The widespread thread? Stolen Jira credentials, extracted by infostealer malware lengthy earlier than the precise breaches passed off.
Who Obtained Hit
On April 5, 2025, HellCat posted proof of the breaches to their leak web site, full with countdown timers and their signature “Jiraware < < 3!!” tagline. In response to their posts, they’ve stolen inside recordsdata, emails, and monetary information, they usually’re threatening to leak or promote the info if the businesses don’t meet their calls for.
The brand new victims embody:
- Asseco Poland (Poland) – a serious IT options supplier
- HighWire Press (USA) – a platform serving scholarly publishers
- Racami (USA) – a agency centered on buyer communications tech
- LeoVegas Group (Sweden) – a web-based gaming and betting firm
How They Obtained In
In response to Hudson Rock’s report shared with Hackread.com, the corporate traced each considered one of these breaches again to the identical root trigger: Jira credentials stolen by infostealer malware. These malware variants, StealC, Raccoon, Redline, and Lumma Stealer, harvested login information from contaminated worker machines months (generally years) earlier than the precise assaults.
As soon as HellCat obtained their palms on these credentials, they logged into every firm’s Atlassian Jira setting. From there, they moved by means of inside methods, grabbed delicate information, and kicked off their typical ransomware course of.
This isn’t a brand new tactic for them. HellCat has beforehand used the identical technique to breach Jaguar Land Rover, Telefonica, Schneider Electrical, and Orange, amongst others. It’s a sample: discover credentials in infostealer logs, entry Jira, exfiltrate information, and demand ransom.
It’s additionally value stating {that a} latest report from Hudson Rock additionally revealed how infostealers, some offered for as little as $10, have compromised important infrastructure worldwide. Much more regarding, the affected methods embody worker machines on the FBI, Lockheed Martin, Honeywell, and branches of the US army.
Why Jira?
Jira is greater than only a undertaking administration software. In lots of firms, it’s the principle system linked to growth workflows, buyer information, inside documentation, and system entry controls. If attackers can get into Jira, they’ll usually get into nearly all the things else.
That’s precisely what makes it such a high-value goal for ransomware teams like HellCat. And since many organizations don’t deal with Jira accounts with the identical stage of safety as, say, e-mail or VPN entry, it turns into a straightforward win for attackers.
The Larger Downside: Infostealers
Researchers consider that HellCat’s modus operandi solely works as a result of infostealer malware infect person gadgets and steal saved logins, cookies, session tokens, and extra. The info is both offered on darkish net markets or used immediately by teams like HellCat.
Hudson Rock’s personal information, primarily based on over 30 million contaminated methods, reveals that hundreds of firms have Jira-related credentials saved in infostealer logs. In these newest instances, the stolen credentials have been simply sitting there, unmonitored and unchanged, giving HellCat on a regular basis it wanted to organize the breach.
What Corporations Ought to Be Doing
There are some steps firms can take to scale back the danger of assaults like these. First, it’s essential to observe for infostealer infections utilizing instruments that may flag stolen credentials earlier than they’re used. If any indicators of malware present up, compromised logins must be reset instantly, entry reviewed, and suspicious exercise tracked intently.
Jira, specifically, must be locked down with multi-factor authentication, restricted entry, and correct community segmentation to restrict how far an attacker can get in the event that they break in. And since many of those infections begin with phishing or dangerous downloads, common worker coaching goes a great distance in stopping them within the first place.
Nonetheless, HellCat isn’t doing something out of the field as a result of they don’t should. So long as organizations depart stolen credentials unchecked and hold utilizing single-layer authentication for instruments like Jira, teams like HellCat will hold taking up.
