Cybersecurity researchers at Hudson Rock have identified a new wave of cyber attacks by the HellCat ransomware group, this time targeting four companies across the United States and Europe. The common thread? Stolen Jira credentials, extracted by infostealer malware long before the actual breaches took place.
Who Got Hit
On April 5, 2025, HellCat posted proof of the breaches to their leak site, complete with countdown timers and their signature “Jiraware < < 3!!” tagline. According to their posts, they’ve stolen internal files, emails, and financial records, and they’re threatening to leak or sell the data if the companies don’t meet their demands.
The new victims include:
- Asseco Poland (Poland) – a major IT solutions provider
- HighWire Press (USA) – a platform serving scholarly publishers
- Racami (USA) – a firm focused on customer communications tech
- LeoVegas Group (Sweden) – an online gaming and betting company
How They Got In
According to Hudson Rock’s report shared with Hackread.com, the company traced every one of these breaches back to the same root cause: Jira credentials stolen by infostealer malware. These malware variants, StealC, Raccoon, Redline, and Lumma Stealer, harvested login info from infected employee machines months (sometimes years) before the actual attacks.
Once HellCat got their hands on those credentials, they logged into each company’s Atlassian Jira environment. From there, they moved through internal systems, grabbed sensitive data, and kicked off their typical ransomware process.
This isn’t a new tactic for them. HellCat has previously used the same method to breach Jaguar Land Rover, Telefonica, Schneider Electric, and Orange, among others. It’s a pattern: find credentials in infostealer logs, access Jira, exfiltrate data, and demand ransom.
It’s also worth pointing out that a recent report from Hudson Rock also revealed how infostealers, some sold for as little as $10, have compromised critical infrastructure worldwide. Even more concerning, the affected systems include employee machines at the FBI, Lockheed Martin, Honeywell, and branches of the US military.
Why Jira?
Jira is more than just a project management tool. In many companies, it’s the main system connected to development workflows, customer data, internal documentation, and system access controls. If attackers can get into Jira, they can often get into just about everything else.
That’s exactly what makes it such a high-value target for ransomware groups like HellCat. And because many organizations don’t treat Jira accounts with the same level of security as, say, email or VPN access, it becomes an easy win for attackers.
The Bigger Problem: Infostealers
Researchers believe that HellCat’s modus operandi only works because infostealer malware infect user devices and steal saved logins, cookies, session tokens, and more. The data is either sold on dark web markets or used directly by groups like HellCat.
Hudson Rock’s own data, based on over 30 million infected systems, shows that thousands of companies have Jira-related credentials stored in infostealer logs. In these latest cases, the stolen credentials were just sitting there, unmonitored and unchanged, giving HellCat all the time it needed to prepare the breach.
What Companies Should Be Doing
There are some steps companies can take to reduce the risk of attacks like these. First, it’s important to monitor for infostealer infections using tools that can flag stolen credentials before they’re used. If any signs of malware show up, compromised logins should be reset immediately, access reviewed, and suspicious activity tracked closely.
Jira, in particular, needs to be locked down with multi-factor authentication, restricted access, and proper network segmentation to limit how far an attacker can get if they break in. And since many of these infections start with phishing or bad downloads, regular employee training goes a long way in preventing them in the first place.
Nevertheless, HellCat isn’t doing anything out of the box because they don’t have to. As long as organizations leave stolen credentials unchecked and keep using single-layer authentication for tools like Jira, groups like HellCat will keep taking over.
