REQUEST A DEMO
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
.webp)
Author: Jayden Palacios, CTI Analyst
Pryx is a threat actor who engages in malware/ransomware development and identity access brokering. Active on XSS since June 2024, Pryx has made notable contributions to the cybercrime community, particularly in his write-ups on server-side information stealers and silent Tor servers. Outside of these novel developments in malware, he has led the charge in creating a new ransomware group named Hellcat that already has four claimed victims on their data leak site (DLS). In addition, Pryx has operated in circles that create and maintain cybercrime forums including BreachForums, BlackForums, and most recently, DangerZone.
The threat actor known as Pryx has recently escalated their activities, forming a new ransomware group and potentially developing a novel family of information-stealing malware. Pryx, who claims to be 17 years old, is an access broker and malware developer who primarily operates on the XSS cybercrime forum, with occasional activity on BreachForums. This actor has also operated under the aliases “HolyPryx” and “Sp1d3r” (not to be confused with a different threat actor who used the aliases “Sp1d3r” and “Sp1d3rhunt3rs” when advertising stolen data from the Snowflake breaches on BreachForums). He also worked on the DangerZone project, a cybercrime forum that started in November. Pryx is associated with prominent threat actors such as IntelBroker and members of the “Five Families” hacking alliance, highlighting a well-established network of collaborators and influence within the cybercrime community.
Pryx is most active on XSS, a popular cybercrime forum for hacking tools and other illicit activities. Occasionally, the forum will host “Article Competitions” where users are able to submit write-ups about operational security, malware, and many other topics for a chance to win prizes like cash or free hacking tools. The competition is designed to facilitate technical innovation, specifically in the world of cybercrime, and gives the users on the forum a chance to build up their reputation by showing off their knowledge or skills.
Pryx submitted a write-up for this competition on a piece of malware he calls “the first server-side stealer in the world.” As described by Pryx, the new malware inverses the established behavior of information stealers. Rather than dropping the stealer malware on the victim’s machine, it operates by setting up a secret Tor service directly on the compromised machine. This covert service functions as a lightweight server that quietly hosts stolen data. Instead of maintaining persistent connections or generating noticeable activity on the victim's machine, the malware allows the attacker to retrieve the stolen files through discrete GET requests. This reduces the chances of security researchers detecting the threat before sensitive information is stolen.
The innovation lies in its minimal footprint and low operational noise. Unlike traditional stealers, which often create a detectable network trail as they exfiltrate data to a remote server, Pryx’s approach reduces the risk of detection by leveraging the victim's machine as the hosting point for the stolen data. The use of Tor further obfuscates the communication, ensuring the attacker’s anonymity and complicating forensic investigations.
In his write-up, Pryx detailed how this malware builds on his earlier project, a silent Tor server malware, which presumably remains unreleased to the public. Since the implementation of the silent Tor server was not shared, it is not clear if it is a viable method that would go undetected, however, Pryx insisted on the technical sophistication of his creation and its potential to evade modern detection mechanisms, emphasizing its utility for cybercriminals seeking to avoid standard network-based intrusion detection systems (NIDS). Nonetheless, this silent server setup is the only code that will run on the victim’s machine, enabling the attackers to exfiltrate data through GET requests. Pryx also included a Python script with his article that is able to decrypt all of the stolen data as it is not exfiltrated in plain text. Thus, it is possible that this malware could possibly launch successful attacks in the wild, but it is still unclear if the malware was sold or shared with other threat actors.
This submission garnered significant attention within the forum, with a number of members praising the originality and practicality of the concept. Some users also expressed doubt regarding the real world capability of the malware, claiming it would not be harder to detect and possibly would not work in regions where Tor may raise flags such as North Korea or China. However, Pryx explained that Tor is simply one way to achieve this and there are other options without providing too much detail. Pryx's contribution not only boosted his reputation but also sparked discussions about the future evolution of malware and the increasing integration of anonymizing technologies in cybercrime.
Without a working proof of concept, the ramifications of such a tactic are still unknown. Taking its capabilities at face value, this malware could be the start of a new family of information stealers which would pose a challenging threat to organizations and individuals trying to secure their digital assets and information. The additional stealth and novel tactic of using a victim’s machine as a temporary file host makes the malware particularly dangerous as there are not yet any indicators or detection rules available to cyber security experts to mitigate this threat.
Pryx started the Hellcat ransomware group in October 2024. The group uses a double-extortion tactic, stealing sensitive data before encrypting it. This method allows them to threaten the release of the stolen information so that they can demand a higher ransom from the victim. Hellcat was seen executing their first ransomware attack against Israel’s Knesset which is the state’s legislature. A week later, the group announced three new victims on their data leak site with the most notable being Schneider Electric, an energy management and automation company in France. In an attempt to gain attention, the group jokingly demanded a ransom of $150,000 in baguettes. This strange ransom was designed to catch the eye of researchers and journalists so that they would write about the attack, giving the group free advertisement for their ransomware.
Highlighting their attention-grabbing tactics, one of the group’s recent attacks made a lot of noise. The victim, a U.S. telecom provider named Pinger, reported printers automatically printing ransomware notes, the server room losing power, and alarms sounding throughout the building. Hellcat exfiltrated 105 GB of data, encrypted or corrupted 11 TB, and demanded a ransom of $150,000. They also accessed raw text and voice messages, plain SIP passwords, back-end tools, internal lookup utilities, and even source code. It seems they messed with physical systems to grab attention as there is no other practical benefit associated with these behaviors. Despite their demand for attention, this breach did not make headlines and is still unconfirmed by the victim.
The Hellcat ransomware group consists of nine members who are all active on BreachForums and other cybercrime forums. The most notable member of the group is IntelBroker, a notorious threat actor responsible for multiple high-profile breaches and also the current owner of BreachForums. The connection to IntelBroker is particularly significant because, as the owner of BreachForums, he occupies a central position in the cybercrime community. His involvement in the Hellcat ransomware group highlights the prominence and influence of its members. This will also likely aid the group in gaining a positive reputation as their members already have the attention of cyber criminals and security researchers alike.
The other members of the group are all prominent users of BreachForums falling under three categories of threat actors; data brokers, initial access brokers (IABs), and malware developers. Data brokers are threat actors who leak or sell compromised data while IABs are threat actors who sell access to networks that can be used by other threat actors to launch their attacks. IABs essentially find, or force, open doors in a network and hold them open for any other criminals who are willing to pay a fee. These members joining Hellcat marks a shift in their operations, transitioning from data and identity access brokering to the lucrative world of ransomware.
Looking at the group’s victimology, they pick their targets based on financial opportunity and political motives. They also operate to be viewed as notorious and reputable threat actors, hoping to gain respect from the cybercrime community at large. Their financial motivation can be seen in chats between the members on their telegram channels where they often talk about getting rich from their criminal activities. Granted, there is a heavy dose of humor in these conversations. The leader, Pryx, is known to be very anti-Israel, like most of the threat actors in these related communities, and has also stated in an interview that his main focus is the government sector, emphasizing political motives. This tracks as their first victim was Israel’s Knesset, but the other victims do not match this motive as they have no solid tie to the Israeli state indicating that the attacks were likely financially motivated.
In a lull of activity, Hellcat had not been seen facilitating any ransomware attacks since November 15th. It seemed like the group had gone defunct, but on December 25th, the group posted two new victims to their data leak site; a Turkish vehicle warranty company and the Blora Regency of Indonesia. Additionally, when asked about the future of Hellcat in a recent interview, Pryx stated:
“Hellcat’s not slowing down. We are looking at new angles, better workflows, better tactics whatever, you name it. This game isn’t about perfection, it’s about being smarter, and one step ahead.”
In a recent update, this statement is supported by a new X/Twitter post made by Pryx using the @holypryx account. Sporting a new Santa Claus profile picture, Pryx posted a “sneak peak” of the group’s next ransom on Christmas Day. Two hellcat members, Rey and Grep, are also tagged in the post. The screenshots show various directories, likely belonging to the potential victim, as well as a list of machines made using reconnaissance or representing successfully infected machines.
So, the Hellcat operators clearly plan to ramp up their activity but it is not clear what new developments they will bring to the ransomware landscape. However, given their connections to big-name threat actors and Pryx’s experience in malware development, we can expect them to return hitting hard with sophisticated tactics and techniques. It is even possible that we see the group use Pryx’s novel information-stealer in conjunction with the Hellcat ransomware to increase the chances of a successful attack even more. It is imperative that this group is monitored so that we can jump on any chances to mitigate the significant threat they pose to cybersecurity.
Pryx is also a moderator of a new cybercrime forum called DangerZone. Operating under the domain dangerzone[.]cx, the forum is accessible on both the dark and clear web. Like other cybercrime forums, DangerZone has a multitude of sections relating to different topics and illicit activities where users can contribute to the community and engage in discourse. Notable sections include leaked databases, malware, and software vulnerabilities.
The site appears to be fairly active for a new forum boasting over 100 users with almost every available section having posts in them. The forum operators have shared their forum in multiple threat actor group chats on Telegram and Discord and have also advertised on BreachForums. Even with active user bases and prominent actors like pryx, forums are ephemeral in nature making it any ones guess as to whether or not this DangerZone will be successful.
The forum’s user interface bears a striking resemblance to BlackForums, a now-defunct cybercrime platform created by a threat actor using the alias Astounding. Pryx and Astounding were seen to be associated during the development of the forum and even after its failure. Although Pryx’s involvement with BlackForums was limited, Astounding’s reputation suffered significantly after the forum’s collapse. Interestingly, in Signal group chats, Astounding has expressed interest in launching another forum but acknowledged that his damaged reputation makes it difficult. This has lead to speculation from some that Astounding may be involved in DangerZone, potentially operating under the alias "Sileo." Notably, Sileo, the owner of DangerZone, claims to have 12 years of experience but has no prior activity on other crime forums before creating this one. This is unusual for a forum owner as they typically rely on their established reputation and community trust to attract users and ensure the platform feels secure.
Still, there is no concrete evidence to confirm that Sileo is Astounding operating under a different alias. The similarities between their forums and Sileo’s lack of an established history are not definitive proof. Forum builders, often used by developers to streamline construction, could explain the resemblance between the two platforms. These builders are frequently shared among threat actors or made freely available, meaning multiple forums may appear similar simply because they use the same tools.
DangerZone has attracted some attention but the existence of large forums such as BreachForums, XSS, or RAMP will likely prevent this new forum from growing as users have no reason to leave them at the moment. Even with notable threat actors joining the platform and a small user base, forums struggle to takeoff, and in time, fade into obscurity. This was seen in our write-up on BlackForums when it was attempting to make a return but ultimately failed. Still, the forum is worth monitoring while it is active as there are cyber criminals using the forum already to share information and collaborate.
Pryx’s growing influence, combined with his innovative malware concepts and involvement in ransomware operations, presents a formidable challenge to cybersecurity professionals. With Hellcat preparing new attacks and Pryx continuing to push novel tools like his server-side stealer, it is vital for cybersecurity teams to monitor this actor and his affiliates closely to mitigate the significant risks they pose.
Tags