HellCat Ransomware Group: Infrastructure, Affiliations, and Activity on the Dark Web

In early 2024, a series of data leak posts began appearing across underground forums, gradually drawing attention to an actor operating under the name HellCat. What initially seemed like isolated disclosures soon revealed a more consistent pattern: one that pointed toward an emerging presence within the ransomware and data extortion ecosystem.

Unlike well-established ransomware groups that rely on polished branding and structured operations, HellCat’s activity appears more fluid, with traces scattered across multiple platforms including breach forums, Telegram channels, and publicly accessible paste services. These fragments, when viewed in isolation, offer limited insight. However, when correlated through StealthMole’s monitoring capabilities, a clearer picture begins to take shape.

This report examines HellCat not as a single isolated entity, but as part of a broader underground environment: one where aliases, shared resources, and overlapping communities often blur the lines between individual actors and collective operations. By following these traces across platforms, the investigation uncovers patterns of activity, communication, and potential affiliations that suggest a more interconnected presence than initially apparent.

Incident Trigger and Initial Investigation

To move from scattered observations to something more concrete, the next step was to test how consistently the HellCat name appeared across monitored data sources.

The investigation began by running the keyword “HellCat” within StealthMole’s Ransomware Monitoring module. This immediately surfaced 21 victims, all attributed to the same name, with activity recorded between October 2024 and May 2025. What initially looked like isolated mentions started to align into a more consistent pattern, reinforcing the idea that this was not a one-off actor.

To see whether this activity extended beyond corporate targets, the same keyword was then queried in the Government Monitoring module. This returned 3 additional incidents, dated between October 2024 and December 2024, indicating that the activity wasn’t limited to a single sector.

At this stage, the focus was still on the name itself. But a closer look at the results revealed something more useful than the victim listings.

Across both datasets, the same onion domain appeared repeatedly as the source where these incidents were originally posted:

• http://hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad.onion/

This overlap shifted the direction of the investigation. Instead of treating each listing as a separate data leak, the focus moved to the underlying source. The repeated reference to a single domain suggested that these posts were not randomly distributed, but were being published from a centralized location.

That domain became the starting point for deeper analysis.

Onion Infrastructure and Leak Platform Analysis

With the onion domain identified as a recurring source across both ransomware and government-related incidents, the next step was to examine it more closely through StealthMole’s Dark Web Tracker.

• http://hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad.onion/

The domain did not exist in isolation. When pivoted within the tracker, it revealed a cluster of seven related onion domains, all associated with the same naming pattern and likely part of the same infrastructure.

• hellcatj6xgvho4qxnr2nbzzthsqel577i5wvzcpfjgavbo3d5l657id.onion
• hellcatdohzngkuh7zruzhi2wojrawbnzbyzljtkw6iluv5ussfer4id.onion
• hellcatdcy653ma43t2ryf2ztw5yfanqsbfmapndbqvteh5itctoijyd.onion
• hellcatdue7rasyoi4oh6t3fhra5bpcj5t6xmrm4vjicfqdvrl24ijid.onion
• hellcatdnrsu4i5uctbklunpfyv2ppiioh5sb3leu4dfgizinrve3gqd.onion
• hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad.onion

Among these, only one domain was observed to be active at the time of analysis:

• hcat*************************************************ayd.onion

This instance was labeled as “HellCat Files” and presented a simple file-listing interface. The structure was minimal, with entries such as compressed files (.zip) available for download, without detailed descriptions, victim context, or negotiation interfaces typically seen in more mature ransomware leak sites.

The presence of multiple inactive domains suggests that the group has either rotated its infrastructure over time or experimented with different hosting instances. Rather than maintaining a stable, persistent leak site, the setup appears fragmented, with several domains no longer in use.

The active panel itself did not resemble a conventional ransomware data leak site. There were no visible victim listings, countdown timers, or negotiation mechanisms. Instead, the interface functioned more like a basic file repository, where content could be uploaded and accessed directly.

This shift, from victim listings to a simplified file distribution model, adds an important layer to understanding HellCat’s operations. It suggests that the group’s infrastructure is not built around structured extortion workflows, but rather around flexible and low-complexity content hosting.

At this point, the investigation moved beyond identifying the infrastructure itself and focused on uncovering the communication channels and identifiers embedded within it.

Communication Channels and Operational Setup

Following the identification of HellCat’s onion infrastructure, the next step was to examine what was embedded within these domains beyond file hosting. Using StealthMole’s Dark Web Tracker, several communication artifacts were identified across the indexed pages.

One of the first indicators was the presence of multiple TOX identifiers, including:

• 898************************************************************E4
• F97D**********************************************************E7F

These were consistently referenced within contact pages and error panels, indicating their role as primary communication channels. The use of TOX, a decentralized and encrypted messaging protocol, aligns with common practices among underground actors seeking to avoid traceable communication platforms.

In addition to TOX, multiple email addresses were identified:

• he*******t@5**2.de
• h****p@firemail.cc
• h*****p@h****t.*w

These addresses followed a consistent naming pattern, suggesting they were part of a coordinated communication setup rather than isolated contacts. One of these entries was further linked to a PGP fingerprint:

• 2A0**********************************F81
• 1EE**********************************9A9

The presence of PGP keys indicates that encrypted communication was supported, likely for exchanging sensitive information such as data samples, credentials, or negotiation details.

Further exploration of the infrastructure revealed that HellCat maintained a broader operational interface beyond simple leak hosting. Certain onion pages included sections dedicated to:

• Instructions on setting up TOX
• Guides for using XMPP-based messaging
• Basic walkthroughs on acquiring Bitcoin
• A temporary note-sharing service for exchanging information

This combination of tools suggests an environment designed not only for publishing data, but also for facilitating interaction with external parties. The inclusion of step-by-step guides, particularly for cryptocurrency usage, indicates that the setup may be intended for users with varying levels of technical familiarity.

At the same time, parts of the interface appeared incomplete or templated. For example, generic placeholders such as user@jabber.com were present, suggesting that some components were not fully configured or were reused across deployments without customization.

Overall, the communication layer reflects a structured but relatively lightweight setup. Rather than relying on a single channel, HellCat appears to maintain multiple parallel methods of interaction, combining encrypted messaging, email, and public-facing interfaces to support its operations.

Associated Actors and Forum Presence

With the onion infrastructure and communication channels mapped, the next step was to identify whether this activity could be tied to specific actors operating across underground forums.

The pivot began from the active onion link:

• hcat********************************************ayd.onion

When this domain was further investigated using StealthMole’s Dark Web Tracker, it led to a BreachForums thread associated with a dataset leak:

• https://breachforums.**/Thread-DOCUMENTS**********Leaked-Download

This thread became a key entry point into identifying the actors operating around HellCat-related activity. From this thread and related pivots, multiple user profiles were identified:

• https://breachforums.**/User-prx
• https://breachforums.**/User-gwap
• https://breachforums.**/User-Rey
• https://breachforums.**/User-SMeu
• https://breachforums.**/User-miyako
• https://breachforums.**/User-AnonBF

These profiles were not randomly selected. Each of them appeared either directly within the thread, in associated discussions, or through cross-references observed during further navigation.

A closer review of these profiles revealed several points of overlap:

• The user Rey maintained visible references to other accounts within their forum signature, including mentions of prx and SMeu.
• The profile miyako was categorized as an Initial Access Broker, indicating involvement in selling or providing access to compromised systems rather than just sharing leaked data.
• Multiple profiles referenced external communication channels (Telegram, Session), aligning with the communication infrastructure previously identified.

Beyond visible interactions, a more concrete layer of linkage emerged through communication identifiers. Several of these actors were associated with Session-based messaging IDs, which appeared across profiles and external communication references, including:

• 05651**************************************************1328 (Gwap)
• 05833*************************************************e918 (Miyako)
• 0552e***************************************************5e5e (Pryx)
• 05669***************************************************e00 (SMeu)
• 05e5d**************************************************c9849 (Rey)

These identifiers provide a stronger technical basis for linking forum personas to off-platform communication channels. Unlike usernames, which can be easily changed or reused, Session IDs tend to remain consistent, making them useful for tracking continuity across environments.

In addition to forum activity, certain posts linked to external resources, including dataset previews and download links, reinforcing the connection between forum discussions and the onion-based file hosting infrastructure.

The same cluster of usernames was also observed in relation to data sale and leak posts beyond a single thread. For example, activity linked to HellCat-related datasets appeared in threads offering large-scale data packages, often accompanied by sample files and escrow-based transactions.

This pattern indicates that the activity is not limited to a single post or campaign, but instead reflects ongoing participation within underground data exchange environments.

While none of these accounts explicitly declare themselves as part of a formal “HellCat group,” the repeated overlap in forum threads, shared references, communication channels, and proximity to HellCat-linked infrastructure suggests the presence of a loosely connected cluster of actors.

Rather than operating as a tightly structured organization, HellCat appears to exist within a network where different individuals contribute to different parts of the workflow, from access acquisition to data distribution.

Technical Artifacts and Cross-Platform Indicators

As the investigation moved deeper into HellCat’s infrastructure and forum activity, additional artifacts began to surface that helped connect different parts of the ecosystem. These were not isolated findings, but recurring identifiers that appeared across onion sites, forum profiles, and communication channels.

One of the more significant observations came from the analysis of the primary onion domain, where seven different malware hashes were indexed. These were associated with the same infrastructure.

• f9c1*********************************************************5e5
• f8b6*********************************************************641
• 7f28*********************************************************27c
• 393b*********************************************************6f2
• 15a2*********************************************************f0b
• dcd7*********************************************************ac2
• b8e7*********************************************************be7

These hashes are particularly important because, unlike domains or usernames, they remain consistent even if the actor changes infrastructure. Their presence suggests that HellCat is not only distributing leaked data but is also associated with ransomware files.

Alongside these technical indicators, multiple communication identifiers were observed across platforms. Session-based messaging IDs appeared repeatedly in connection with forum profiles and external communication channels, including:

• 05e5d********************************************************9849
• 05c9d********************************************************df73

These identifiers provided a consistent thread between different environments, linking forum activity to off-platform communication methods. Their reuse across contexts suggests continuity rather than isolated accounts, reinforcing the idea of a connected operational layer.

Similarly, the investigation identified one more TOX identifier used for encrypted communication:

• 1F571****************************************************8F

The presence of multiple TOX IDs suggests either role separation or multiple individuals operating within the same environment. Rather than relying on a single communication channel, HellCat appears to maintain parallel options, which aligns with the fragmented infrastructure observed earlier.

Financial indicators also emerged during the investigation. A Bitcoin wallet was identified in connection with HellCat-linked activity:

• bc1q****************************9x

The transaction activity associated with this wallet was limited and relatively low in value. This stands in contrast to the large-scale financial flows typically observed in established ransomware operations, where payments are often substantial and frequent. The modest activity here suggests that monetization may not be fully developed, or that the actor operates at a smaller scale than more mature ransomware groups.

Finally, Telegram activity provided additional context. Accounts associated with HellCat-related operations were observed sharing leaked content and interacting with other users. In several cases, content posted on forums was later redistributed through Telegram channels, indicating a pattern of cross-platform amplification. Some of these accounts were subsequently deleted, which may reflect attempts to reduce visibility or adapt to increased scrutiny.

Overall, these artifacts do more than just confirm presence, they help define the nature of the operation. The combination of persistent technical indicators, reused communication channels, and limited financial activity points toward an environment that is active but not fully structured. Rather than a tightly controlled ransomware operation, HellCat appears to operate within a flexible setup where tools, identities, and platforms are reused as needed.

Conclusion

What initially appeared as a series of isolated leak posts linked to the name HellCat gradually revealed a more structured pattern when examined through StealthMole. The activity traced back to a shared onion-based infrastructure, supported by multiple communication channels and a recurring set of forum actors operating in close proximity to one another.

At the infrastructure level, the environment does not follow the conventions of established ransomware operations. Instead of maintaining a stable and structured leak site, HellCat relies on a fragmented setup, with multiple inactive domains and a single active instance functioning as a simple file repository. This suggests a level of operational inconsistency and a preference for flexibility over permanence.

In contrast, the communication layer shows a more deliberate approach. The use of multiple TOX identifiers, Session IDs, email addresses, and PGP keys indicates that the actors maintain several parallel channels, allowing them to adapt if any single method becomes unavailable. This balance between loosely maintained infrastructure and layered communication reflects a hybrid operational model.

The actor ecosystem further supports this interpretation. Rather than a clearly defined group, the activity is distributed across several forum profiles with different roles, including data sharing and access brokerage. These actors are connected not through explicit declarations, but through repeated overlap in threads, shared identifiers, and consistent proximity to HellCat-linked activity.

Technical artifacts add another dimension to this picture. While ransomware-classified files are present, the limited financial activity associated with identified cryptocurrency wallets does not align with large-scale extortion operations. This suggests that the activity may be driven more by data distribution and marketplace engagement than by structured ransom-based monetization.

Together, HellCat does not fit neatly into a single category. It operates within a fluid and loosely connected ecosystem where infrastructure, identities, and roles are reused and adapted as needed. Rather than functioning as a centralized ransomware group, it reflects an emerging model of underground activity that prioritizes flexibility over structure.

Editorial Note

Attribution in cyber and dark web investigations is rarely definitive. The findings in this report are based on observable artifacts, platform correlations, and patterns identified through StealthMole. While these connections provide a strong analytical foundation, they do not imply absolute ownership or control by any single entity. This case highlights how seemingly unrelated data points, when explored systematically, can reveal meaningful patterns, while also reinforcing the need for caution in drawing conclusions within complex and evolving underground environments.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

IndoHaxSec: Inside the Expanding Network of a Pro-Palestinian Hacktivist Collective

In recent years, hacktivist groups have increasingly emerged as visible actors in the broader landscape of cyber operations. Often forming around shared political or ideological motivations, these collectives use digital attacks, data leaks, and public messaging to amplify their narratives and demonstrate technical capability. Among the groups that have surfaced within this environment is IndoHaxSec, a collective that presents itself as an Indonesian hacktivist entity and publicly frames its activities around political causes, particularly those connected to the Israel–Palestine conflict.

IndoHaxSec has appeared across several online platforms where it promotes its identity, claims cyber operations, and communicates with supporters. Like many hacktivist groups, its presence is distributed across multiple channels rather than centralized in a single space. Messages, attack claims, and other artifacts are shared through social platforms, messaging channels, and underground forums, creating a scattered but traceable digital footprint.

While the group positions itself as a politically motivated actor, the extent of its operations, its alliances with other hacktivist collectives, and the broader network surrounding it remain relatively unclear. Public claims and online messaging often provide only a partial view of how such groups function or how their activities connect across platforms.

This report traces IndoHaxSec’s digital footprint across several platforms in order to better understand how the group operates, how it communicates, and how it positions itself within the wider hacktivist landscape. By piecing together artifacts from defacement monitoring tools, Telegram channels, leak forums, and other open sources, the investigation reveals an expanding network of activity that goes well beyond isolated attack claims.

Incident Trigger and Initial Investigation

The investigation into IndoHaxSec began after the group appeared in connection with a data leak involving South Korean users. The breach, which was advertised online under the title “514.4K THOUSANDS OF SOUTH KOREAN POPULATION AND TRADER DATA,” drew attention due to both the scale of the dataset and the explicit attribution to IndoHaxSec.

• https://xforums.***/threads/514********************3/

To better understand the scope of the group’s activity, the keyword “INDOHAXSEC” was queried across multiple modules within the StealthMole platform. The first step involved examining the Leaked Monitoring module, which indexes publicly advertised breaches, database leaks, and stolen data shared across underground forums and related platforms.

The search results quickly revealed that the South Korean dataset was not an isolated incident. StealthMole’s indexing showed that 27 separate leak-related entries associated with IndoHaxSec had been detected between December 2024 and March 2026. These entries included datasets allegedly originating from multiple countries and sectors, indicating that the group had been active across several leak forums and platforms over an extended period of time.

To further understand the nature of these activities, additional StealthMole modules were queried using the same keyword. This included the Defacement Alert module, which monitors website defacements, as well as Government Monitoring, which tracks incidents involving government-related data exposures. Together, these tools provided a broader view of the group’s publicly visible operations and helped establish an initial timeline of IndoHaxSec’s activity across different types of cyber incidents.

These early findings suggested that IndoHaxSec’s presence extended beyond a single breach claim and pointed toward a wider pattern of activity across multiple platforms. As a result, the investigation expanded to examine the group’s online infrastructure, including the messaging channels and forums where its operations and announcements were being promoted.

Mapping IndoHaxSec’s Online Presence

Following the initial findings from StealthMole’s monitoring modules, the investigation shifted toward identifying the online spaces where IndoHaxSec promotes its activities and communicates with its audience. Hacktivist groups often rely heavily on messaging platforms and social media to publicize attacks, share leaked data, and build alliances with other collectives. Tracing these channels therefore provides important insight into how such groups operate and how their narratives spread online.

Using StealthMole’s Telegram Tracker, several Telegram accounts operating under the IndoHaxSec name were identified. These accounts appear to represent different roles within the group and openly reference IndoHaxSec in their profile descriptions or usernames.

The following Telegram accounts were identified during the investigation:

• Telegram ID: 80********5
• Display Name: LEADER OF INDOHAXSEC TEAM
• Username: @K3******K

• Telegram ID: 67******50
• Display Name: INDOHAXSEC SERVICE
• Username: @IN******E**S******E

• Telegram ID: 79********29
• Display Name: INDOHAXSEC
• Username: @hm*****7

• Telegram ID: 7873654972
• Display Name: The_Owner_IndoHaxSec

• Telegram ID: 7230074565
• Display Name: ItaChi
• Username: @indo******9

Historical indexing within StealthMole also showed that the account associated with Telegram ID: 7929455429 previously used the username @Z_BL4CK_H before switching to @hmei7 on 2025-12-05. The earlier alias resembles the name of another Indonesian hacktivist group, Z BL4CK H4T, although the available data does not confirm a direct connection between the two.

In addition to individual accounts, several Telegram channels associated with the group were discovered. These channels appear to function as public communication hubs where IndoHaxSec posts announcements, shares defacement claims, and promotes leaked datasets.

The following Telegram channels were identified during the investigation:

• https://t.me/INDOHAXSEC
• https://t.me/indo*****
• https://t.me/Indohaxsec_Team
• https://t.me/Indo******

Posts within these channels frequently included attack claims, ideological messages, and links to datasets hosted on underground forums. For example, one post promoted a dataset titled “600,000 Federal Bank of India Database”, accompanied by a link directing users to a thread on DarkForums.

The Telegram channels also served as entry points to other platforms maintained by the group. Several posts encouraged followers to join additional communication channels operated by IndoHaxSec, including:

• X account: https://x.com/INDO******C
• WhatsApp channel: https://whatsapp.com/channel/0029**************0L

The presence of these cross-platform links suggests that IndoHaxSec attempts to maintain a distributed online presence rather than relying on a single communication platform. By directing followers across Telegram, X, and WhatsApp, the group appears to expand the reach of its messaging while ensuring that its announcements and propaganda can continue circulating even if individual channels are disrupted.

Mapping these accounts and channels provides an initial view of the group’s communication infrastructure. These spaces serve not only as places where IndoHaxSec announces operations but also as hubs where alliances, ideological messaging, and leaked data are publicly promoted.

Telegram Messaging, Narratives, and Alliances

With IndoHaxSec’s communication channels identified, the investigation then focused on the content shared within these spaces. Telegram channels associated with the group provide a clearer view of how IndoHaxSec frames its activities, promotes its operations, and interacts with other hacktivist collectives. Many of the posts observed during the investigation combined attack claims with political messaging, suggesting that the group uses Telegram not only to publicize incidents but also to reinforce its ideological positioning.

Several posts within the channel https://t.me/Indo****** referenced attacks and defacement activity. In one instance, the channel announced a defacement targeting the website:

• https://casino4live.com/

The message accompanying the claim included the text “LETS FUCKING GO!! STOP_JUDOL!”, followed by hashtags such as #INDOHAXSEC, #HAXCHIPPER, and #OPSIJJIN_SUPPORTIRAN. These posts illustrate how the group uses Telegram to publicly claim responsibility for website defacements while linking the activity to broader ideological narratives.

The same channel also contained a post referencing the previously identified South Korean dataset leak. The message advertised a dataset titled:

“514.4K THOUSANDS OF SOUTH KOREAN POPULATION AND TRADER DATA.”

Within the message, the group framed the breach as a response to alleged racism from South Koreans and suggested that the incident was intended as an initial warning. The post included the hashtag #Ops_KrRacist, indicating that the attack was presented as part of a broader campaign narrative.

Beyond individual attack claims, Telegram posts also revealed collaborations between IndoHaxSec and other hacktivist groups. On 7 March 2026, the channel https://t.me/Indo****** announced an alliance between IndoHaxSec and another hacktivist collective known as HaxChipper. The message stated that the two groups would work together under an operation referred to as “Operation SijjinCyber,” which was described as supporting Iran and Palestine while targeting Israel, the United States, and their allies.

Another collaboration appeared in the channel https://t.me/Indohaxsec_Team, where a post referenced a joint operation between IndoHaxSec and AZRAEL OF DEATH. The message described the activity as part of a “Pakistan Cyber Support Operation,” suggesting coordination between multiple hacktivist groups aligned around similar geopolitical narratives.

Additional posts referenced collaboration with CLOBELSECTEAM, further indicating that IndoHaxSec operates within a broader network of hacktivist actors rather than functioning in isolation. These alliance announcements demonstrate how Telegram channels are used not only to claim attacks but also to signal partnerships and reinforce a sense of collective action within the hacktivist ecosystem.

In several instances, the messaging also targeted specific countries or political actors. Posts included slogans such as “FUCK ISRAEL” and “FUCK TRUMP,” alongside lists of websites allegedly targeted during the same operation. In another message shared in the channel https://t.me/INDOHAXSEC, the group issued threats directed toward India, claiming that future attacks would target a wide range of sectors including government institutions, companies, and educational organizations.

Overall, these posts provide insight into how IndoHaxSec uses Telegram to frame its operations within a broader narrative of political or ideological conflict. The platform appears to function as the group’s primary space for announcing attacks, promoting alliances, and amplifying the narratives that accompany its activities.

Underground Forum Activity and Data Leak Distribution

In addition to its messaging presence on Telegram, IndoHaxSec also appears to use underground forums to distribute and promote leaked datasets. These forums often serve as marketplaces or public repositories where threat actors advertise stolen databases, share proof samples, or direct users to download links. Investigating these spaces provided further insight into how the group publicizes its alleged breaches and interacts with the broader cybercrime ecosystem.

One such example was identified on the forum DarkForums, where a thread titled “DATABASE 3.2K THOUSAND ISRAEL TIP INFORMATION DATABASE” was posted. The thread was attributed to a user operating under the name INDOHAXSEC, suggesting that the group itself was responsible for publishing or promoting the dataset.

The thread can be accessed through the following link:

• https://darkforums.***/Thread*********************DATABASE

From this post, the corresponding user profile associated with the thread was identified:

• https://darkforums.me/User-I**********C

The investigation also revealed a session identifier associated with the activity:

• 053d1*****************************************93047

The presence of this thread suggests that IndoHaxSec uses underground forums as a distribution channel for datasets it claims to have obtained. Such forums provide visibility among cybercrime communities while also allowing actors to promote their operations to a wider audience.

Another dataset advertisement linked to the group was discovered on the forum BreachStars. In this case, the post referenced a database described as “169,045 Database of the Israeli Traffic Department.” The post was attributed to a user named INDOHAXSECTEAM, which appears to be another variation of the group’s name used across platforms.

The associated user profile was identified at:

• https://breachstars.***/profile/INDOHAXSECTEAM

While the usernames differ slightly across platforms, the naming convention strongly reflects the IndoHaxSec branding observed throughout Telegram channels and other artifacts identified during the investigation.

Together, these forum posts illustrate how IndoHaxSec extends its activity beyond social messaging platforms. Telegram channels appear to be used to promote attacks and share announcements, while underground forums provide a space where datasets can be distributed or advertised to audiences already engaged in cybercrime communities. This combination of messaging platforms and forum activity reflects a common pattern among hacktivist groups seeking both publicity and recognition for their operations.

Conclusion

This investigation set out to better understand the online footprint of IndoHaxSec by tracing the group’s presence across multiple digital platforms. Through analysis of artifacts collected from StealthMole monitoring tools, Telegram channels, underground forums, and related communication platforms, the investigation reveals a hacktivist collective that maintains a distributed but visible online ecosystem.

IndoHaxSec’s activity appears to revolve around a combination of messaging, attack claims, and data leak promotion. Telegram channels serve as the central point where the group announces operations, shares ideological narratives, and promotes links to external platforms hosting datasets or forum threads. Underground forums such as DarkForums and BreachStars provide an additional layer where data attributed to the group is advertised and distributed.

The group’s messaging frequently references geopolitical issues, particularly those connected to the Israel–Palestine conflict, while also directing rhetoric toward other countries and political actors. Alliance announcements involving groups such as HaxChipper, AZRAEL OF DEATH, and CLOBELSECTEAM further suggest that IndoHaxSec operates within a broader ecosystem of loosely connected hacktivist collectives.

While the investigation uncovered a wide range of artifacts associated with the group, the nature of hacktivist activity makes it difficult to determine the precise scale or authenticity of every claim. Some attacks may be genuine compromises, while others may represent exaggeration, reposted leaks, or activity carried out by affiliated actors rather than a single coordinated organization.

Nevertheless, the collection of digital traces identified during this investigation provides a clearer picture of how IndoHaxSec maintains its online presence, promotes its operations, and positions itself within the evolving landscape of hacktivism.

Editorial Note

Investigations into hacktivist groups rarely produce a complete or definitive picture of the actors involved. Online identities shift, channels disappear or reappear under new names, and claims of responsibility may be exaggerated or shared between loosely connected participants. As a result, attribution in these environments often remains fluid.

The IndoHaxSec case illustrates how piecing together fragments from multiple sources, monitoring tools, messaging platforms, and underground forums, can help reveal patterns that might otherwise remain hidden. By navigating these fragmented digital spaces, platforms like StealthMole enable investigators to connect disparate signals and better understand how emerging hacktivist groups operate within the broader cyber threat landscape.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Inside RasCorp Group: Tracing a Ransomware Alliance within THE PERSEPHONE Network

Ransomware operations rarely function as isolated entities. In many cases, they emerge through loosely organized networks where individuals contribute different capabilities, ranging from malware development and infrastructure management to recruitment and operational coordination. Communication platforms such as Telegram have increasingly become central to these ecosystems, allowing actors to promote tools, recruit collaborators, and coordinate activities across dispersed communities.

During routine monitoring of Telegram discussions related to hacking and cybercrime, references to a group identifying itself as RasCorp Group, also described as the Ransomware Corporation Group, began to surface across several channels. Initial observations suggested that the group was actively promoting itself as a ransomware-focused operation while seeking individuals with expertise in malware development, networking, and infrastructure management.

At first glance, RasCorp appeared to operate primarily through Telegram-based communication channels where announcements, recruitment messages, and partnership statements were shared. However, further examination revealed that the group’s activities were not limited to a single channel or actor. Mentions of RasCorp appeared alongside references to other cyber groups and tooling developers, hinting at a broader network of collaborators operating within the same environment.

This raised important questions about the structure and capabilities of RasCorp: was the group simply promoting itself as a ransomware collective, or was it part of a larger ecosystem involving multiple actors and supporting tools? To answer this, the investigation focused on mapping the Telegram channels, identifying the key personas involved, and examining how RasCorp positioned itself within a wider network of cyber actors.

Incident Trigger and Initial Investigation

The investigation into RasCorp Group originated during the earlier analysis of THE PERSEPHONE platform, which revealed a collaborative environment involving multiple actors. While examining the structure of the Persephone website and the groups referenced within it, RasCorp Group appeared alongside VFVCT and ClayRat, suggesting that the platform was supported by more than one organization operating within the same ecosystem.

To better understand RasCorp’s role within this alliance, further analysis was conducted using StealthMole’s Telegram Tracker, which indexes conversations and activity across Telegram channels commonly used by cyber actors. Searching for references to “RasCorp” revealed several messages across different channels, including those already linked to VFVCT. These messages included recruitment announcements, partnership statements, and references to dedicated RasCorp communication channels.

One such announcement described a strategic alliance between three groups: CrackRat Zone Clay, RasCorp Group, and VFVCT (V For Vendetta Cyber Team). The message outlined the intended roles of each participant, presenting CrackRat Zone Clay as developers of multifunctional tools, RasCorp as responsible for business operations and coordination, and VFVCT as contributing operational and strategic capabilities.

The announcement also listed the Telegram channel associated with RasCorp:

• https://t.me/rascorp************n

Because this channel appeared to serve as a central communication hub for the group, it became the starting point for deeper investigation into RasCorp’s structure, the individuals involved in managing the channel, and the activities promoted within its ecosystem.

RasCorp Communication Channels and Recruitment Activity

Following the identification of the RasCorp Telegram channel, further examination focused on understanding how the group used the platform to promote its activities and interact with potential collaborators. The channel https://t.me/rascorp********n, titled RascorpBusinessGentlemen, appeared to function as the primary communication hub for the group.

The channel description referenced RasCorp Group and included a contact bot, @Rascor***t, indicating that the platform was intended to facilitate direct interaction with individuals interested in the group’s operations. Posts within the channel and related discussions revealed that RasCorp actively promoted recruitment efforts, inviting individuals with technical expertise to participate in ransomware-related activities.

One recruitment message circulated within associated Telegram discussions stated that the group was seeking members with skills in malware development, networking, infrastructure management, and scripting, particularly those experienced with ransomware operations. The message also directed interested individuals to contact specific Telegram accounts for further discussion. Among the listed contacts were @jd*****929, identified as a RasCorp administrator, and @clay*****es, described as a business lead associated with the group.

In addition to the RasCorp channel itself, the recruitment messages referenced other channels connected to the alliance, including CrackRat Zone Clay (https://t.me/cr********y) and the VFVCT backup channel. These references indicated that RasCorp operated within a network of interconnected Telegram channels rather than relying on a single communication point.

The recruitment messaging and channel structure suggested that RasCorp was attempting to position itself as an organized ransomware operation capable of attracting collaborators with specialized skills. By maintaining Telegram channels and automated contact mechanisms, the group appeared to be building a communication infrastructure designed to facilitate coordination and expansion of its activities within the broader cyber underground.

Identifying Key Personas within RasCorp

Further analysis of the RasCorp Telegram channel led to the identification of several accounts associated with the group’s operations. One of the most prominent personas was the Telegram user @jd********929, who appeared to play an administrative role within the RasCorp ecosystem.

Using StealthMole’s historical indexing capabilities, the account’s previous profile data was examined to understand its activity over time. Historical records showed that the account had changed its username and profile images multiple times, indicating periodic efforts to modify its online identity.

Earlier identifiers linked to the account included the username @so******01, observed in records from October 2025, where the profile image depicted a hooded figure commonly associated with hacker-themed imagery. In earlier records from January 2025, the account used the username @Va*****92, accompanied by a profile image showing a screenshot of a website defacement page.

The defacement image referenced a message attributed to Cyber Virus, displaying text indicating that a website had been encrypted by the attacker. While the context of the image could not be independently verified, its presence within the account’s historical profile suggested an association with hacking or defacement-related communities.

Additional examination of the account’s activity across Telegram revealed participation in several unrelated channels. In one community, the user discussed bringing experienced individuals into a ransomware team, further reinforcing the account’s apparent involvement in RasCorp’s recruitment efforts. In other channels, the account engaged in discussions about credential lists and online account combinations, including requests for Eneba account combos.

Overall, the account’s historical identity changes, hacking-themed imagery, and recruitment-related messaging suggested that @jd******929 was likely an active participant in RasCorp’s Telegram ecosystem, potentially contributing to the group’s efforts to recruit collaborators and promote ransomware-related activities.

Links to ClayRat Tooling

During the analysis of RasCorp’s Telegram ecosystem, additional connections emerged linking the group to an actor operating under the username @clay******s. This account had already been referenced in recruitment announcements associated with RasCorp and VFVCT, where it was described as a business lead involved in the alliance. To better understand this role, further investigation was conducted into the activity and historical identifiers associated with the account.

StealthMole’s historical indexing revealed that the account previously operated under the username @cr****t, recorded in January 2026, and displayed the name GhostDroid in earlier records. The earlier username appeared to reference RAT (Remote Access Trojan) tooling, which prompted further examination of the account’s activity across Telegram channels.

Monitoring the account’s activity showed that @clay**********s was particularly active in a community channel titled OFFICIAL YASHVIR GAMING CHAT. Within this channel, the user frequently shared images and discussions related to a tool referred to as G-700 RAT. Screenshots circulated by the user appeared to show an operator interface for the tool, including panels for managing clients and controlling various functions typically associated with remote access malware.

In addition to promoting the RAT tool, the user also posted messages announcing the launch of the G-700 RAT, indicating that the tool was being introduced or distributed within the community. Other messages attributed to the account referenced credential data, including offers to provide NowTV account logs, suggesting involvement in credential-sharing or data trading discussions commonly observed within underground communities.

The presence of the @clay**********s account within both RasCorp recruitment announcements and channels discussing RAT tooling highlighted the role of specialized tooling within the broader ecosystem. Rather than operating as an isolated developer, the account appeared to occupy a position where malware promotion, credential-related discussions, and collaboration with RasCorp and VFVCT intersected within the same Telegram environment.

Operational Structure and Alliance Dynamics

The artifacts identified during the investigation suggest that RasCorp Group does not operate in isolation but instead forms part of a broader collaborative structure involving multiple actors with complementary roles. Messages circulated across the Telegram channels referenced an operational alliance between RasCorp, VFVCT, and CrackRat Zone Clay, describing the partnership as a coordinated effort combining different capabilities within the cyber ecosystem.

According to the announcement observed during the investigation, each participant in the alliance appeared to contribute a distinct role. CrackRat Zone Clay was described as providing advanced multifunctional tools, while RasCorp Group was positioned as responsible for business operations and coordination. Meanwhile, VFVCT (V For Vendetta Cyber Team) was presented as contributing strategic and operational capabilities. This distribution of responsibilities suggested an attempt to structure the collaboration in a way that combined technical tooling, operational planning, and organizational coordination.

The presence of separate Telegram channels for each group, along with cross-references between them, reinforced the idea that these actors were operating within a shared ecosystem rather than as independent entities. Recruitment messages circulated within the network frequently directed interested individuals toward RasCorp contacts, while tooling-related announcements were associated with channels connected to CrackRat Zone Clay.

This structure indicates that the alliance was designed to integrate different functions of cyber operations, from tool development and recruitment to operational coordination. Within this arrangement, RasCorp appeared to position itself as a coordinating entity responsible for managing relationships and facilitating collaboration among participants within the broader network.

Conclusion

The activity surrounding RasCorp Group illustrates how ransomware-oriented operations can emerge within loosely structured online ecosystems rather than through a single centralized organization. The group’s presence across Telegram channels, recruitment announcements, and alliance messaging suggests an effort to position RasCorp as a coordinating entity capable of attracting collaborators with different technical capabilities. By presenting itself as responsible for the “business” and coordination aspects of operations, RasCorp appears to focus on building relationships and organizing participants rather than developing tools or conducting attacks independently.

At the same time, the connections identified with actors involved in malware tooling and credential trading highlight how such ecosystems often overlap with broader underground communities. Individuals active in hacking forums, gaming chats, and credential-sharing spaces can gradually transition into more organized cyber operations, bringing with them both tools and contacts from those environments. Within this context, RasCorp’s recruitment messaging and alliance formation may represent an attempt to formalize these relationships into a more structured ransomware-oriented collaboration.

Viewed in this light, RasCorp is less notable for a specific attack or dataset and more significant as an example of how cyber groups attempt to organize themselves in the early stages of operation. Monitoring these emerging networks, particularly those built around recruitment and partnerships, can provide valuable insight into how future ransomware or cybercrime campaigns may develop.

Editorial Note

Investigations into cyber actors operating across online communities rarely provide complete visibility into every aspect of their operations. Identities, infrastructure, and affiliations can change quickly, and participants may intentionally obscure their roles within collaborative networks. For this reason, attribution should be treated as an evolving assessment rather than a definitive conclusion. This case demonstrates how StealthMole’s monitoring capabilities can help trace connections between actors, communication channels, and tools across different layers of the cyber ecosystem, gradually revealing how such alliances take shape.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com