Monday, May 5, 2025
HomeCVE/vulnerabilityHelldown Ransomware Attacking VMware ESXi And Linux Servers

Helldown Ransomware Attacking VMware ESXi And Linux Servers

Published on

SIEM as a Service

Follow Us on Google News

Helldown, a new ransomware group, actively exploits vulnerabilities to breach networks, as since August 2024, they have compromised 28 victims, leaking their data on a dedicated website. 

The ransomware group IS has updated its data leak site, removing three victims, possibly indicating successful ransom payments by continuing its double extortion tactic, stealing and threatening to leak data if ransom demands are not met.

It was active primarily in August and October and has compromised over 30 victims, including small and medium-sized businesses and larger organizations like Zyxel Europe, as their focus seems to have shifted between active attacks and tool development.

- Advertisement - Google News
Helldown ransom note from xml configuration

An analysis revealed that at least eight victims, including one compromised in early August, utilized Zyxel firewalls for IPSec VPN access during their breach, where two victims subsequently replaced their Zyxel firewalls post-compromise, as indicated by Censys historical data. 

Zyxel firewalls with v5.38 firmware have been compromised, potentially exploiting the critical CVE-2024-42057 vulnerability.

An attacker uploaded a potentially malicious ELF binary, possibly linked to the recent breaches, but the payload is incomplete.

Threat actors are exploiting vulnerabilities in Zyxel firewalls to create unauthorized accounts, such as “SUPPOR87” and “VPN,” via SSL VPN, potentially granting them unauthorized access to victim systems.

The Helldown group exploited a Zyxel vulnerability to compromise firewalls, using the OKSDW82A account to access the network via SSL VPN, where post-compromise activities included lateral movement, privilege escalation, and the deployment of tools like Advanced Port Scanner and HRSword, indicating potential ransomware intentions.

Helldown ransomware Icon for encrypted file

It exfiltrates large volumes of data, including sensitive documents, directly from network file shares while being less targeted, intensifying pressure on victims by exposing a wide range of confidential information.

The Windows executable payload is a ransomware variant that encrypts files, generates a ransom note, and persists on the infected system using Windows APIs.

The ransomware deletes system shadow copies, drops and executes a script to terminate critical processes, encrypts files, modifies filenames and icons, generates a ransom note, removes its traces, and shuts down the system.

According to Sekoia, it loads its configuration from an XOR-encrypted XML file, checks for administrator privileges, disables 64-bit redirection, and then encrypts specified files while deleting shadow copies and replacing file icons with a ransom note.

By executing commands, it deletes shadow copies, drops an icon, modifies the registry, and then terminates specified processes, creates a ransom note, and finally shuts down the system. 

Helldown, a new threat actor, exploits undocumented Zyxel firewall vulnerabilities to gain network access and deploy basic ransomware. Their success lies in their ability to exploit these vulnerabilities rather than the sophistication of their malware.

The group exploited a Zyxel vulnerability to deploy LockBit 3 ransomware, likely targeting virtualized VMware infrastructures, while this vulnerability, not yet assigned a CVE, has been addressed by Zyxel in a recent firmware update.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

LUMMAC.V2 Stealer Uses ClickFix Technique to Deceive Users into Executing Malicious Commands

The LUMMAC.V2 infostealer malware, also known as Lumma or Lummastealer, has emerged as a...

Hackers Selling SS7 0-Day Exploit on Dark Web for $5,000

A newly discovered dark web listing claims to sell a critical SS7 protocol exploit...

Chimera Malware: Outsmarting Antivirus, Firewalls, and Human Defenses

X Business, a small e-commerce store dealing in handmade home décor, became the latest...

MediaTek Fixes Multiple Security Flaws in Smartphone, Tablet, and TV Chipsets

MediaTek, a leading provider of chipset technology for smartphones, tablets, AIoT, and smart TVs,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

LUMMAC.V2 Stealer Uses ClickFix Technique to Deceive Users into Executing Malicious Commands

The LUMMAC.V2 infostealer malware, also known as Lumma or Lummastealer, has emerged as a...

Hackers Selling SS7 0-Day Exploit on Dark Web for $5,000

A newly discovered dark web listing claims to sell a critical SS7 protocol exploit...

Chimera Malware: Outsmarting Antivirus, Firewalls, and Human Defenses

X Business, a small e-commerce store dealing in handmade home décor, became the latest...