Swiss telecommunications solutions provider Ascom has fallen victim to a cyberattack by the notorious Hellcat ransomware group, which compromised the company’s technical ticketing system on March 16, 2025.
The attack represents the latest in a global hacking spree targeting Jira servers, with Hellcat employing their signature method of exploiting compromised credentials to gain unauthorized access to sensitive corporate infrastructure.
According to Rey, a member of the Hellcat hacking group who communicated with BleepingComputer, the attackers exfiltrated approximately 44GB of data from Ascom’s systems.
.png
)
The stolen information reportedly includes source code for multiple products, project details, invoices, confidential documents, and issues from the company’s ticketing system.
Hellcat Group Exfiltrates 44GB of Data
While Ascom has acknowledged the breach, they maintain that other IT systems and customer environments remain unaffected, with business operations continuing as usual.
“Investigations against such criminal offenses were initiated immediately and are ongoing. Ascom is working closely with the relevant authorities,” the company stated in its official press release.
The Ascom IT Cybersecurity Team has closed the compromised ticketing system while determining the full extent of the attack.
The Hellcat group has established a consistent pattern of targeting Jira servers worldwide.
Jira, a project management and issue-tracking platform widely used by software developers and IT teams, often contains sensitive data including source code, authentication keys, IT plans, customer information, and internal discussions related to projects.
Security researchers have identified Hellcat’s signature technique: exploiting Jira credentials harvested from employees previously compromised by Infostealer malware.
Hellcat emerged as a Ransomware-as-a-Service (RaaS) threat group in Q4 2024 and has quickly established itself as a significant cybersecurity threat.
The group employs advanced methods of initial access, including phishing campaigns and exploitation of public-facing applications.
Their sophisticated attack chain includes PowerShell infection sequences to establish persistence, defense evasion techniques, and command-and-control infrastructure that deploys SliverC2 malware.
Recent victims of Hellcat include major corporations such as Schneider Electric, Telefónica, Orange Group, and Jaguar Land Rover (JLR).
In the JLR breach, Hellcat exploited the credentials of an LG Electronics employee who had third-party access to JLR’s Jira server.
Examination of ransomware payloads shows that Hellcat shares code with the Morpheus ransomware group, both utilizing the Windows Cryptographic API and BCrypt algorithm for encryption.
Both payloads exhibit the unusual characteristic of encrypting file contents without altering file extensions.
Organizations utilizing Jira systems are advised to implement robust credential management protocols, including regular password rotation, multi-factor authentication, and prompt revocation of third-party access when no longer needed.
The ongoing Hellcat campaign demonstrates that outdated but valid credentials remain a significant security vulnerability that sophisticated threat actors continue to exploit.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
