MalwareUsed by 2 actors

Hashtopolis

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Contagious Interview

...hosting an open-source, distributed password cracking management system called Hashtopolis.

via the hacker newsthehackernews.com

CL-STA-0240

...hosting an open-source, distributed password cracking management system called Hashtopolis.

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1078Valid AccountsEvidence2

The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services.

Persistence

1 technique

T1078Valid AccountsEvidence2

The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services.

Privilege Escalation

1 technique

T1078Valid AccountsEvidence2

The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services.

Stealth

1 technique

T1078Valid AccountsEvidence2

The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services.

Credential Access

9 techniques

T1003OS Credential DumpingEvidence2

we also observed tools for additional credential harvesting, including dumping encrypted credentials from the Active Directory

T1110Brute ForceEvidence9

the broader collection reveals the working data of a live, multi-server initial access operation that was brute-forcing not only Fortinet VPN logins, but also gaining access to other accounts and edge devices including Synology NAS devices, Sophos firewalls, and MSSQL servers.

T1110.002Password CrackingEvidence15

Для взлома перехваченных хешей использовался кластер из 45 GPU под управлением Hashtopolis...

T1110.004Credential StuffingEvidence3

attackers "processed 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 MSSQL servers,"

T1555Credentials from Password StoresEvidence2

The group reportedly intercepted SSL VPN authentication hashes and cracked them using a 45-GPU cluster managed through Hashtopolis.

T1557Adversary-in-the-MiddleEvidence2

“They intercept SSL VPN authentication, crack hashes on a 45-GPU cluster managed via Hashtopolis, and pivot into internal Active Directory environments,” Diachenko says.

T1558.003KerberoastingEvidence1

ad_full_audit.py enumerates SPN-bearing accounts; Harvester extracts TGS/Kerberos material and cracking infrastructure supports Kerberos formats.

T1558.004AS-REP RoastingEvidence1

ad_full_audit.py enumerates DONT_REQ_PREAUTH accounts; Harvester and cracking stack support AS-REP material.

T1649Steal or Forge Authentication CertificatesEvidence8

Targeted information includes NTLM hashes, Kerberos tickets, RADIUS passwords, LDAP, FTP, SMTP, IMAP, POP3, MySQL, MSSQL, SNMP and Telnet credentials, and more.

Collection

1 technique

T1557Adversary-in-the-MiddleEvidence2

“They intercept SSL VPN authentication, crack hashes on a 45-GPU cluster managed via Hashtopolis, and pivot into internal Active Directory environments,” Diachenko says.

Command and Control

1 technique

T1102.002Bidirectional CommunicationEvidence1

Telegram API is used for operator-side cracking orchestration and result distribution.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

the hacker newsNews

Apr 25, 2025

North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures

Open-source distributed password cracking management platform hosted on attacker-controlled infrastructure; likely used to manage credential cracking operations.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.