Threat Actor Interview: Spotlighting on Pryx – Admin of the Hellcat Ransomware Group

We recently had the opportunity to have a chat interview with an actor going by the alias “pryx” who operates on a well-known darknet forum – XSS. Pryx is an initial access broker (IAB), a malware developer, and one of the admins of the Hellcat group.

We had also recently interviewed two actors “Sukob”, loosely affiliated with the Hellcat group and ”Miyako“, one of the admins of the Hellcat group.

Pryx, who has previously operated under aliases like “holypryx” and “sp1d3r,” shares insights about the motivations, strategies, and tools used in cyber operations. The discussion dives into innovative techniques, including server-side stealers, Tor-based command-and-control (C2) systems, and the exploitation of recent CVEs.

---

Key Findings

Motivation and Background:

• Entered cybercrime at the age of 12-13, initially for trolling purposes but later focused on malware development and gaining initial access.
• Continues to refine skills with a long-term commitment to the field.

Innovative Techniques:

• Server-Side Stealer: Designed to minimize footprints by hosting Tor onion services on infected devices. Data is scraped remotely via GET requests, reducing detection risks.
• Silent Tor Servers: Used for stealthy command-and-control (C2) operations, avoiding direct outbound connections and bypassing EDR/firewall detections.

Targeting Preferences and Strategies:

• Focuses on U.S. and Israeli targets, prioritizing government sectors for their high-value data.
• Prefers spear phishing and exploiting vulnerabilities (CVE-based) for initial access, mentioning human error as a key weakness.
• Demonstrated expertise in chaining vulnerabilities, including CVE-2024-3400, to achieve effective exploitation.

Operational Security (OPSec):

• Implements strong OpSec by using encrypted drives, air-gapped systems, anonymous VPS servers, and secure communication tools like XMPP, Tox, and Session.
• Describes VPNs as a small but essential part of overall operational security.

Methodologies and Tools:

• Relies on spear phishing, outdated services, and vulnerabilities (CVE exploitation) for initial access.
• Uses BurpSuite, Netcat, Netscan, and scripts custom tools when necessary. Describes the toolkit as minimal, preferring simplicity and scripting for specific tasks.
• Highlights that most tasks don’t require overly specialized tools, favoring a “use what works” approach.

Common Security Flaws Observed:

• IDOR (Insecure Direct Object References) remains a significant vulnerability, with Pryx indicating it as the root cause for breaches like the Saudi government’s 40GB data exposure.

Lessons from Failures:

• A failed attempt to deploy ransomware on China Life Insurance emphasized the importance of speed and preparedness during breach operations.

Persistence Techniques:

• Sets up new SSH users with root privileges, adds public SSH keys for fallback access, and deploys custom backdoors as a safety net.

---

The Interview

Below we have presented the questions and answers with no modification.

---

Question: Welcome to the Osint10x interview, Pryx! As this is our first engagement, can you please tell us about yourself and your work?

Pryx: Hi, thanks for having me. I’m Pryx, known on X as @holypryx. I’m currently a 17-year-old teenager. I entered the cybercrime world when I was 12 or 13 years old. Back then, I was mostly trolling and doing funny things. Now, I am interested in malware development and initial access. I plan to keep improving at what I do and have no intention of stopping anytime soon.

---

Question: What were your aliases in the past? Which all groups did you collaborate with so far?

Pryx: From what I can share, I’ve used the aliases “holypryx” and “sp1d3r” in the past. No other specific past aliases are worth mentioning since I switch aliases whenever I feel the heat.

I never worked with any group other than hellcat after creating the alias “pryx”

---

Question: What does your day look like away from the keyboard? Do you go for a run, surf, yoga, or are you always in the Twilight Zone?

Pryx: I have a normal life like anyone else. I go to school, hang out with my friends, and travel a lot. Of course, none of my real-life contacts know what I’m involved in. It’s kind of sad, but that’s how it should be.

---

Question: What’s your association with the Hellcat group, and how do you contribute?

Pryx: Hellcat started as a joke when my friend Grep made a comment in the BreachForums shoutbox during a conversation about ICA.gov. He said, “ICA is a cool name for a group.” I sent him a private message saying it wasn’t a bad idea. We planned it out and announced it on BreachForums. Later, we found out ICA was linked to an Iranian ISIS group, so we changed the name to “Hellcat,” which was suggested by a member of the group named Rey.

You can say I am one of the founder or leader something like this.

---

Question: I see there are multiple posts of a “server-side stealer”? Why do you consider it innovative compared to traditional stealers?

Pryx: A server-side stealer is something completely different from how normal stealers work. Most stealers run everything on the victim’s device. They grab passwords, cookies, and whatever else they need, then send it back to the attacker using POST requests. The problem is that it leaves a big footprint. EDRs and firewalls can pick that up because there’s constant outbound traffic happening.

This is why the server-side stealer is a game-changer. Instead of grabbing and sending data immediately, the malware hosts a Tor onion service on the victim’s device and sends us the onion address. That’s it. No massive exfiltration happening locally, just a directory listing. From there, we run scripts on our end to scrape everything we want through GET requests. It’s quieter, cleaner, and smarter.

The malware isn’t running a full stealer locally. All it does is set up the onion service and send us the username and onion address in a JSON request. There’s no direct “stealing” happening on the victim’s side, so it’s harder to detect. We control everything from our side. Once we have the onion address, the real work happens on our server.
Also, Tor does all the heavy lifting when it comes to anonymity. The onion service makes it impossible to trace back to us, and the victim’s device is just sitting there hosting files for us without knowing.

---

Question: What are the advantages of using a “Silent Tor Server” for command-and-control (C2) operations in malware?

Pryx: It is perfect for stealthy C2 operations because it avoids direct outbound connections that EDRs or firewalls would pick up on. Using Tor means both the attacker’s and victim’s IPs stay hidden, so tracing it back is extremely hard. The malware itself barely does anything—it just hosts a directory listing, keeping its footprint low and detection chances even lower. All the heavy lifting, like scraping and decrypting data, happens on our side, so we stay in full control without ever needing to touch the malware again. It’s simple, efficient, and secure.

---

Question: You have referenced CVEs (e.g., CVE-2024-34102) in your discussions. What factors determine whether a vulnerability is worth exploiting at scale?

Pryx: Whether a vulnerability is worth exploiting at scale comes down to two key factors: impact and accessibility. The vulnerability needs to provide access to something valuable, like privileged credentials, sensitive data, or critical system controls. If it doesn’t offer a significant payoff, it’s not worth the effort.

The PoC should also be accessible to everyone. If it’s not, reproducing it isn’t too difficult. For example, when a new CVE drops, public PoCs are rarely released right away. Either they wait for companies to patch, or they don’t release them at all. So, I just use the public info available, reverse-engineer it, and reproduce a working PoC myself.

When a PoC finally goes public, I don’t waste time. I mass exploit vulnerable hosts, backdoor them, and block anyone else from getting in. Then, I go through the infected hosts to see if any are tied to big corporations. If I find one, I use it as a foothold and scan their network for more vulnerable devices to expand the attack.

---

Question: Talking about the mass exploitation of CVEs, what were the latest CVEs that you have mass-exploited?

Pryx: The last one I went for was CVE-2024-3400, arbitrary file creation in GlobalProtect that could lead to OS command injection. Out of the box, it didn’t get me RCE, so I had to grab another vuln from someone I know (redacted for privacy) to chain it together. Ended up working perfectly.

Honestly, mass exploitation isn’t just “run the CVE and go.” Sometimes you need to chain things, get creative, or know the right people to fill in the gaps.

---

Question: In your experience, how do you balance the resource demands of brute force attacks with the need to remain undetected?

Pryx: Bruteforcing can be noisy, but honestly, who cares? If the attack is successful and you gain access, that’s what really matters. Getting in is always the priority over worrying about making noise. If bruteforcing is your only option, then just go for it.

---

Question: What motivates you to participate in contests like “КОНКУРС СТАТЕЙ”(ARTICLE COMPETITION)? How do these events shape your approach to developing and sharing tools?

Pryx: I joined simply for fun and to share knowledge. This is the second time I’ve participated in a competition hosted by xss.is, and I plan to keep it up at least as long as I’m not banned (LockBit reference(joke)).

---

Question: You’ve expressed interest in topics like “tox protocol in malware communication.” What other emerging technologies or methods are you exploring for future use?

Pryx: I’m always looking into new ways to innovate and stay ahead. Aside from the Tox protocol for malware communication, I’ve been exploring decentralized networks and blockchain for secure C2 setups.

---

Question: What are the most common security flaws you have witnessed so far?

Pryx: Oh man, IDORs. Literally, 60% of the corps I target are vulnerable to them in some way. Even the Saudi government breach was caused by poor cookie management, leading to an IDOR that exposed 40 GB of citizen data and private email attachments. This included ID cards, driver’s licenses, and even work CVs.

---

Question: Which geo and sector interests you as a target, and why? Is there a broader motive or philosophy behind target selection?

Pryx: I’m most interested in U.S. and Israeli targets. U.S. data is highly valuable in the market, and I target Israel simply because I hate the Jews. My main focus is on the government sector.

---

Question: Can you share an example of a time when one of your projects or tactics failed? What lessons did you take away from that experience?

Pryx: We had RDP access to a company with $118 billion in revenue, It was China Life Insurance. We were in their systems for a week, fully prepared with the locker and backend server, ready to encrypt over 5TB of data. But when we tried to log in to execute the ransomware, our access was revoked. Worst timing ever.
What I learned from this experience is that we need to move fast and have everything fully prepared before trying to fuck with the target servers.
Not going to lie, we’re all still pissed about this incident, it was caused by stupid laziness.

---

Question: Suppose you’re tasked with designing malware that targets a high-security enterprise network. What combination of techniques (e.g., ETW patching, IAT camouflage) would you employ, and why?

Pryx: I’d honestly leave that to Sukob, he’s way better than me at malware development right now. But if I had to do it myself, I’d go with a mix of ETW patching and IAT hooking. ETW patching screws with the telemetry that EDRs rely on, so they can’t flag anything. IAT hooking lets you mess with API calls to make the malware look like a legit process. Throw in some obfuscation and sandbox evasion, and you’ve got something that’ll slip right through even high-security setups.

---

Question: During a breach operation, you discover unexpected anomalies, such as honeypot systems or advanced monitoring tools. How would you adapt your tactics to maintain operational security?

Pryx: If I run into something like a honeypot or advanced monitoring, I’d step back and analyze the environment.
I’d use passive recon to map out what’s legit and what’s bait. If it’s a honeypot, I’d mess with it a bit to waste their time while I figure out a new way to get in. If it’s monitoring tools, I’d look for ways to disable or bypass them. Always adapt, but don’t rush, that’s how you get caught.

---

Question: What’s your approach to target a network starting with selecting a target to compromising it? Can you give us a general overview?

Pryx: Oh, I love spear phishing. Most of my access is based on human errors. I also exploit outdated services or just abuse vulnerabilities in the backend itself to gain access.

First, I pick targets based on their value usually large corporations or government sectors, especially those in U.S . I do a lot of recon: OSINT, scanning for exposed services, or finding employees to phish. Once I have an entry point, be it stolen credentials, an RCE, or exploiting a CVE, I move in. From there, it’s all about privilege escalation, maintaining persistence, and mapping out the network. The ultimate goal is to hit where it hurts, whether that’s exfiltrating sensitive data or deploying ransomware. Every step is calculated, I don’t move unless I know it’s worth it.

---

Question: Once access is obtained, what techniques do you use to maintain persistence within the target system?

Pryx: Once I get in, the first thing I do is set up a new SSH user with root privileges. If they catch on and remove that user, no problem I’ll have already added my public SSH key to the host for direct access. And just in case they lock down SSH altogether, I always leave a custom malware backdoor running as a backup.

---

Question: Share some of your TTPs you have used for attacks.

Pryx: Well, based on a threat intelligence report by an OSINT company analyzing my activities, they outlined the following TTPs, and honestly, I find it impressive how accurate they are:

• TA0001: Initial Access
  • T1566: Phishing
  • T1078: Valid Accounts
• TA0003: Persistence
  • T1078: Valid Accounts
• TA0004: Privilege Escalation
  • T1078: Valid Accounts
• TA0005: Defense Evasion
  • T1078: Valid Accounts
• TA0040: Impact
  • T1486: Data Encrypted for Impact

---

Question: What tools do you typically use in your operations?

Pryx: BurpSuite, Netcat, Netscan. I can’t think of anything else for now. I don’t really need a massive toolkit—most tasks don’t require anything too specific. If I do, I’ll script something myself or use whatever gets the job done.

---

Question: When a target initiates incident response procedures, what steps do you take to avoid detection or removal?

Pryx: At this point, you just trust the process and pray you don’t get detected. It’s all based on luck, honestly, There’s really nothing else you can do.

I just use Mullvad (I’m not sponsored by mullvad). Jokes aside, I’ve got plenty of decoys and fake identities set up. If anyone tries to do OSINT on me, they’ll just end up tracking some innocent person instead.

---

Question: How do you maintain your OPSec?

Pryx: Not committing human mistakes is the best way to keep your operational security tight. VPNs are just one piece of the puzzle. I encrypt all my hard drives and keep air-gapped systems for the more sensitive stuff. For communication, I stick to XMPP, Tox, and Session, which don’t leak metadata and use proper encryption. I also rent VPS servers anonymously, paying with crypto or whatever keeps me untraceable.

---

Question: You’ve been selling leaked databases for a while. Do you see this as a long-term plan, or are there other areas in the cybersecurity space that interest you?

Pryx: I’m into ransomware now it’s a great source of money. Selling leaked databases is just a stepping stone. Ransomware offers more control, higher stakes, and bigger payouts. It’s definitely where the real money’s at.

---

Question: What advice do you have for companies to better defend against such attacks?

Pryx: Honestly, there’s no way you can defend against these attacks if you keep paying lazy employees to sit around and do the bare minimum. Companies love to throw money at the latest shiny security tool, but if you don’t have people who actually care about securing your shit, it’s all pointless. You can’t patch a hole in the system with a piece of software when your employees can’t even spot a phishing email. Until you fix the real problem, your own team, no firewall or endpoint protection is going to save you.

---

Question: What is the future of Hellcat Group?

Hellcat’s strategies are straightforward: precision and speed. There’s no need for flashy tactics or noise, just hit the weak points, take what’s valuable, and leave before anyone notices.

We’re not stuck on one method or tool. Flexibility is everything. Whether it’s exploiting vulnerabilities, phishing, or deploying custom tools, it’s all about adapting to the target and the moment.
As for the future, Hellcat’s not slowing down. We are looking at new angles, better workflows, , better tactics whatever, you name it. This game isn’t about perfection, it’s about being smarter, and one step ahead.

At the end of the day, if someone leaves the door open, we’ll walk through it. Simple as that.

---

Question: Thank you for your time, Pryx! Is there something else that we may have missed that you would like to tell us?

Pryx: No, I think I covered everything. Thank you for having me today.

---