highRansomware
HYFLOCK RaaS — Breakglass Intelligence Report
InvestigatedApril 4, 2026PublishedApril 4, 2026
Threat Actors:Analysis
onione5hdifgit6ratraasaptransomwaretor
TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime — Ransomware-as-a-Service (RaaS) Status: LIVE — Active at time of investigation
Executive Summary
HYFLOCK is a previously unreported Ransomware-as-a-Service (RaaS) panel operating exclusively on Tor at e5hdifgit6ua7k4ggmltume7kbyryksdnlrkc55we33fnshgxfeqgsyd[.]onion. The platform provides affiliates with a complete ransomware lifecycle toolkit: payload builder/generator, deployment capabilities, victim negotiation chat rooms, data leak publishing, and cryptocurrency payment processing (BTC, ZEC, XMR). The panel UI supports English and Russian, but Chinese-language developer comments embedded in the 8,112-line CSS file reveal the platform was built by a Chinese-speaking developer or development team. HYFLOCK is not indexed by any public threat intelligence platform — not ThreatFox, MalwareBazaar, RansomLook, Ransomware.live, or any vendor reporting. This is a first-of-its-kind disclosure by Breakglass Intelligence.
Key Findings
- Novel RaaS platform: HYFLOCK is completely unreported in public threat intelligence. Zero results across ThreatFox, MalwareBazaar, RansomLook, Cyble, Unit42, and general web searches.
- Chinese development origin: 94 lines of Simplified Chinese comments in the CSS source code reveal the developer's native language. Comments describe UI component systems (色彩系统, 字体层级系统, 间距系统) and panel-specific features (客户接受报价样式 = "customer accept offer style", 聊天界面优化 = "chat interface optimization", 支付状态样式增强 = "payment status style enhancement").
- Russian-speaking target audience: The panel UI supports English and Russian, with the Russian version featuring full translation of all operational terms including attack-specific vocabulary (ЦЕЛИ = targets, КОМНАТУ = room).
- Full RaaS lifecycle: CSS class analysis reveals a complete operational toolkit:
- Ransomware payload builder/generator (
action-create_generator,builder-form,generator-glass) - Deployment capability (
btn-deploy) - Victim negotiation rooms with real-time chat (
notification-room,chat-glass,chat-messages) - Ransom offer/counter-offer workflow (
offer-amount,pending-offer,status-pending_customer_acceptance,status-customer_rejected) - Data leak publication with screenshots and ZoomInfo enrichment (
leak-card,leak-screenshots-preview,leak-zoominfo) - Cryptocurrency payment processing (
payment-glass,payment-stats,payment-filters)
- Ransomware payload builder/generator (
- Dual-portal architecture: Separate login paths for affiliates (
login_type=attacker, username/password) and victims (login_type=customer, target ID only — "ENTER ROOM" button). - Open registration: The panel accepts new affiliate registrations at
/register, indicating active recruitment. - DDoS protection: Custom captcha-based anti-DDoS layer with server-generated image captchas (200x80 PNG, 6 alphanumeric characters, 100-second timer).
- Professional security posture: Content Security Policy headers, X-Frame-Options DENY, no-referrer policy, CSRF tokens on all forms, catch-all authentication redirect (all unauthenticated paths return 302 to /login).
What Was Found vs. What Was Known
| Aspect | Prior Public Reporting | Our Findings |
|---|---|---|
| HYFLOCK existence | No reporting whatsoever | LIVE RaaS panel on Tor, fully operational |
| Developer origin | Unknown | Chinese-speaking (94 lines of Simplified Chinese CSS comments) |
| Target audience | Unknown | Russian and English-speaking affiliates |
| Capabilities | Unknown | Full lifecycle: build, deploy, negotiate, leak, collect payment |
| Victim portal | Unknown | Dedicated victim login via Target ID for ransom negotiation |
| Payment methods | Unknown | BTC, ZEC (Zcash), XMR (Monero) |
| Infrastructure | Unknown | Single .onion hidden service with DDoS protection |
| Affiliate recruitment | Unknown | Open registration available |
Attack Chain (Inferred from Panel Structure)
[1] AFFILIATE REGISTRATION [2] PAYLOAD GENERATION [3] DEPLOYMENT
/register /builder (generator-form) btn-deploy
Username + Password Customizable ransomware Target selection
Open to new recruits build configuration target-id-code
| | |
v v v
[4] VICTIM ENCRYPTION [5] NEGOTIATION [6] PAYMENT
Ransomware executes /chat (notification-room) /payments
Data exfiltrated Victim enters Target ID BTC / ZEC / XMR
Ransom note with Target ID Real-time chat with affiliate payment-stats
| offer / counter-offer status-completed
v status-pending_customer_acceptance |
[7] DATA LEAK (if unpaid) v
/leaks [8] PROFIT SPLIT
leak-card with screenshots Dashboard stats
leak-zoominfo enrichment Affiliate payout
leaks-filter-bar
Infrastructure Analysis
Hidden Service
| Attribute | Value |
|---|---|
| Onion Address | e5hdifgit6ua7k4ggmltume7kbyryksdnlrkc55we33fnshgxfeqgsyd[.]onion |
| Protocol | HTTP (no TLS — standard for .onion) |
| Server Software | Not disclosed (no Server header) |
| Application Framework | Custom — likely Go or Node.js (chunked transfer encoding, clean routing) |
| Status | LIVE as of 2026-04-03 |
Security Headers
| Header | Value | Assessment |
|---|---|---|
| Content-Security-Policy | default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; frame-ancestors 'none' | Strict CSP — no external resources allowed |
| X-Frame-Options | DENY | Clickjacking protection |
| X-Content-Type-Options | nosniff | MIME sniffing protection |
| X-XSS-Protection | 1; mode=block | XSS filter enabled |
| Referrer-Policy | no-referrer | Full referrer suppression |
| Permissions-Policy | geolocation=(), microphone=(), camera=() | Feature restrictions |
| Cache-Control | no-store, no-cache, must-revalidate, proxy-revalidate | Aggressive cache prevention |
Endpoint Map
Authenticated (302 -> /login):
/admin, /dashboard, /panel, /profile, /settings, /wallet, /payments, /leaks, /victims, /targets, /builds, /builder, /chat, /messages, /tickets, /faq, /support, /news, /blog, /about, /rules, /tos, /terms, /contact, /help, /api/stats, /api/config, /api/version, /api/ping, /api/targets, /api/builds, /api/leaks, /api/news, /api/register
Unauthenticated (200):
/login, /register, /ddos-verify, /css/style.css, /fonts/fonts.css, /api/captcha-refresh, /api/captcha-image/{id}
Not Found (404):
/js/app.js, /favicon.ico
Technology Stack
| Component | Evidence |
|---|---|
| Fonts | Self-hosted Orbitron (4 weights) + Rajdhani (4 weights) via woff2 |
| CSS Framework | Custom — 8,112 lines, 528 unique classes, comprehensive design system |
| UI Theme | "Cyberpunk glass morphism" — dark backgrounds, neon accents, glass effects |
| Design System | CSS custom properties for colors, spacing, typography, shadows, animations, borders |
| Captcha | Server-generated PNG (200x80), 6 alphanumeric characters, 100-second expiry, refresh via API |
| API Style | RESTful — /api/login, /api/customer-login, /api/register, /api/ddos-verify, /api/captcha-refresh |
| Internationalization | Query parameter ?lang=en / ?lang=ru |
Developer Attribution Analysis
Chinese-Speaking Developer (ASSESSED — HIGH Confidence)
Evidence: 94 lines of Simplified Chinese comments in /css/style.css across the entire 8,112-line file. These are development comments, not user-facing text — they describe internal component architecture, optimization notes, and design system documentation. This indicates the CSS was written by a native Chinese speaker, not translated or auto-generated.
Selected Chinese Comments (Translated):
| Chinese | English Translation | Significance |
|---|---|---|
| 统一色彩系统 | "Unified color system" | Design system architecture |
| 客户接受报价样式 | "Customer accept offer style" | Ransom negotiation UI |
| 聊天界面优化 | "Chat interface optimization" | Victim-operator chat |
| 支付状态样式增强 | "Payment status style enhancement" | Payment tracking UI |
| 支付区域玻璃态 | "Payment area glass effect" | Payment UI styling |
| 生成器表单玻璃态 | "Generator form glass effect" | Payload builder UI |
| 登录容器玻璃态增强 | "Login container glass effect enhancement" | Login UI styling |
| 导航栏玻璃态 | "Navigation bar glass effect" | Nav styling |
| 赛博朋克环绕动画效果 | "Cyberpunk orbiting animation effect" | Loading screen |
| 优化字体优先级 | "Optimize font priority" | Dev optimization note |
| 此处不需要重复 | "No need to repeat here" | Code dedup comment |
| 统一使用主样式表中的定义 | "Unified use of definitions from main stylesheet" | Architecture note |
Assessment: The depth and naturalness of these comments (including casual dev notes like "no need to repeat here") indicate a fluent Chinese speaker performing primary development, not a translation artifact. This is significant because:
- The operational language is Russian/English — the developer may be selling to Russian-speaking operators
- Chinese-developed ransomware panels are less common than Russian-developed ones in the RaaS ecosystem
- This could indicate a Chinese-speaking developer moonlighting in the Russian cybercrime ecosystem, or a cross-border collaboration
Russian-Speaking Operators (ASSESSED — MEDIUM Confidence)
Evidence: Full Russian UI translation with natural operational vocabulary. The Russian translation uses correct cybercrime terminology (ЦЕЛИ for targets, КОМНАТУ for [negotiation] room), suggesting the translator understands the operational context.
Panel Feature Analysis (from CSS Class Enumeration)
1. Ransomware Builder/Generator
- Classes:
builder-card,builder-form,builder-hint,builder-actions,btn-builder,generator-form,generator-form-container,generator-glass,action-create_generator,action-delete_generator - Assessment: Full payload generation system with create/delete capabilities. Affiliates can generate customized ransomware builds.
2. Deployment System
- Classes:
btn-deploy - Assessment: Direct deployment capability from the panel — one-click ransomware deployment.
3. Target Management
- Classes:
target-id-code,target-type-badge - Assessment: Each victim gets a unique Target ID (used for victim portal login) and type classification.
4. Victim Negotiation
- Classes:
chat-glass,chat-header,chat-input,chat-message-glass,chat-messages,notification-room,sidebar-users - Login: Victims enter via "CUSTOMER LOGIN" with their Target ID to "ENTER ROOM"
- Assessment: Real-time chat between affiliates and victims for ransom negotiation. Multiple simultaneous rooms with user sidebar.
5. Ransom Offer Workflow
- Classes:
offer,offer-actions,offer-amount,offer-info,offer-time,pending-offer,type-offer - Status flow:
status-pending_customer_acceptance->status-customer_rejectedORstatus-pending_admin_approval->status-approved->status-completed - CSS comment: 客户接受报价样式 ("customer accept offer style")
- Assessment: Structured negotiation workflow with offer/counter-offer, admin approval gates, and completion tracking.
6. Payment System
- Classes:
payment,payment-filters,payment-glass,payment-stats,type-payment - Cryptocurrencies: BTC (Bitcoin), ZEC (Zcash), XMR (Monero) — shown in loading animation
- CSS comment: 支付状态样式增强 ("payment status style enhancement")
- Assessment: Multi-cryptocurrency payment processing with filtering and statistics.
7. Data Leak Site
- Classes:
leak-card,leak-card-actions,leak-card-description,leak-card-header,leak-card-title,leak-category,leak-date,leak-file-icon,leak-file-info,leak-file-name,leak-file-size,leak-screenshots-preview,leak-stat-item,leak-stat-label,leak-stat-value,leak-stats-bar,leak-zoominfo,leak-zoominfo-title,leaks-filter-bar,leaks-grid - Assessment: Full data leak publication system with:
- File listing (name, size, icon)
- Screenshot previews of stolen data
- ZoomInfo integration (likely for victim company enrichment/verification)
- Leak statistics and categorization
- Filtering and grid layout
8. Dashboard & Statistics
- Classes:
dashboard-card,dashboard-card-glass,dashboard-grid - Assessment: Operational dashboard with statistics cards — likely victim count, payment totals, active negotiations.
9. Download Management
- Classes:
download-card,download-card-body,download-card-header,download-status,downloads-grid,btn-download,btn-download-full - Assessment: File download system for ransomware builds and/or stolen data.
10. Notification System
- Classes:
notification-badge,notification-bell,notification-card,notification-dropdown,notification-glass,notification-item,notification-room - Assessment: Real-time notification system with bell indicator, dropdown, and per-room notifications.
11. User System
- Classes:
nav-user-section,nav-username,avatar-upload-zone,avatar-preview-section - Assessment: User profiles with avatar uploads — affiliates have customizable profiles.
12. Settings & Administration
- Classes:
settings-tab-input,sidebar-glass,tab-nav - Status classes:
status-active,status-inactive,status-approved,status-rejected,status-pending,status-completed,status-failed,status-error,status-pending_admin_approval,status-pending_customer_acceptance,status-customer_rejected - Assessment: Admin interface with tabbed settings and granular status management.
MITRE ATT&CK Mapping (Inferred from Panel Capabilities)
| Tactic | Technique | ID | Application |
|---|---|---|---|
| Resource Development | Acquire Infrastructure | T1583.003 | Tor hidden service for C2 and negotiations |
| Resource Development | Develop Capabilities | T1587.001 | Custom ransomware builder/generator |
| Execution | User Execution | T1204 | Ransomware payload deployment via panel |
| Impact | Data Encrypted for Impact | T1486 | Ransomware encryption (core function) |
| Impact | Data Manipulation | T1565 | Victim data exfiltration |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Data upload to panel for leak site |
| Collection | Data from Local System | T1005 | Stolen data with file listings |
| Command and Control | Proxy: Multi-hop Proxy | T1090.003 | Tor .onion for operator anonymity |
IOC Summary
Network Indicators
| Type | Value | Context |
|---|---|---|
| Onion Address | e5hdifgit6ua7k4ggmltume7kbyryksdnlrkc55we33fnshgxfeqgsyd[.]onion | HYFLOCK RaaS panel |
API Endpoints (for detection if C2 traffic is intercepted)
| Endpoint | Method | Purpose |
|---|---|---|
/api/login | POST | Affiliate authentication |
/api/customer-login | POST | Victim portal entry |
/api/register | POST | Affiliate registration |
/api/ddos-verify | POST | Anti-DDoS captcha verification |
/api/captcha-refresh | GET | Captcha image refresh |
/api/captcha-image/{id} | GET | Captcha image serving |
Web Fingerprints
| Indicator | Value |
|---|---|
| Page title (login) | "System Login - HYFLOCK" |
| Page title (register) | "Register Account - HYFLOCK" |
| Page title (verify) | "Verification - HYFLOCK" |
| Navbar text | "HYFLOCK RAAS PANEL" |
| Loading subtitle | "RAAS PANEL" |
| Copyright | "2025 HYFLOCK. All rights reserved." |
| Fonts | Orbitron + Rajdhani (self-hosted woff2) |
| CSS size | 8,112 lines, 190,755 bytes |
| CSS classes | 528 unique |
| Hidden form field | login_type=attacker |
| Victim form field | target_id |
Recommended Actions
Immediate (24-48 hours)
- Threat intelligence sharing: Distribute this report to CERT/CC, CISA, and relevant national CERTs. HYFLOCK is unreported and could have active victims.
- Ransomware tracker submission: Submit the onion address to RansomLook, Ransomware.live, and Ransom-DB for monitoring.
- ThreatFox submission: Submit the onion address as a RaaS panel IOC.
Short-term (1-2 weeks)
- Monitoring: Set up periodic checks of the .onion service for changes (new features, victim leak posts).
- Sample hunting: Monitor MalwareBazaar and VirusTotal for samples containing "hyflock" strings, the onion address, or the CSS fingerprint.
- Dark web monitoring: Search Russian-language cybercrime forums (XSS, Exploit, RAMP) for HYFLOCK recruitment posts or advertisements.
Medium-term (1-3 months)
- Behavioral rule development: If ransomware samples are obtained, develop YARA and Suricata rules for the specific ransomware family.
- Victim notification: If leak site content becomes publicly accessible, identify and notify affected organizations.
- Attribution development: Track Chinese-speaking RaaS developers in the Russian cybercrime ecosystem for potential pattern matching.
YARA Rules
rule HYFLOCK_RaaS_Panel_HTML {
meta:
author = "GHOST - Breakglass Intelligence"
date = "2026-04-03"
description = "Detects HYFLOCK RaaS panel HTML content"
tlp = "WHITE"
reference = "https://intel.breakglass.tech"
strings:
$title1 = "HYFLOCK" ascii wide
$title2 = "RAAS PANEL" ascii wide
$login_type = "login_type" ascii
$attacker = "value=\"attacker\"" ascii
$customer = "value=\"customer\"" ascii
$target_id = "target_id" ascii
$enter_room = "ENTER ROOM" ascii wide
$copyright = "2025 HYFLOCK" ascii wide
$ddos = "ddos-verify" ascii
condition:
3 of them
}
rule HYFLOCK_RaaS_CSS_Fingerprint {
meta:
author = "GHOST - Breakglass Intelligence"
date = "2026-04-03"
description = "Detects HYFLOCK RaaS panel CSS with Chinese developer comments"
tlp = "WHITE"
reference = "https://intel.breakglass.tech"
strings:
$cn1 = { E5 AE A2 E6 88 B7 E6 8E A5 E5 8F 97 E6 8A A5 E4 BB B7 E6 A0 B7 E5 BC 8F } // 客户接受报价样式
$cn2 = { E8 81 8A E5 A4 A9 E7 95 8C E9 9D A2 E4 BC 98 E5 8C 96 } // 聊天界面优化
$cn3 = { E6 94 AF E4 BB 98 E7 8A B6 E6 80 81 } // 支付状态
$cn4 = { E7 94 9F E6 88 90 E5 99 A8 E8 A1 A8 E5 8D 95 } // 生成器表单
$css1 = ".leak-zoominfo" ascii
$css2 = ".generator-glass" ascii
$css3 = ".chat-message-glass" ascii
$css4 = ".payment-glass" ascii
$css5 = ".status-pending_customer_acceptance" ascii
$css6 = ".status-customer_rejected" ascii
condition:
2 of ($cn*) or 4 of ($css*)
}
Suricata Rules
# HYFLOCK RaaS Panel Detection
# Note: These rules are designed for environments where Tor traffic is decrypted/proxied
alert http any any -> any any (
msg:"BGI - HYFLOCK RaaS Panel Login Page Detected";
flow:established,to_client;
content:"HYFLOCK"; http_server_body;
content:"RAAS PANEL"; http_server_body;
content:"login_type"; http_server_body;
reference:url,intel.breakglass.tech;
classtype:trojan-activity;
sid:9000100; rev:1;
)
alert http any any -> any any (
msg:"BGI - HYFLOCK RaaS Affiliate Login Attempt";
flow:established,to_server;
content:"POST"; http_method;
content:"/api/login"; http_uri;
content:"login_type=attacker"; http_client_body;
reference:url,intel.breakglass.tech;
classtype:trojan-activity;
sid:9000101; rev:1;
)
alert http any any -> any any (
msg:"BGI - HYFLOCK RaaS Victim Portal Access";
flow:established,to_server;
content:"POST"; http_method;
content:"/api/customer-login"; http_uri;
content:"target_id"; http_client_body;
reference:url,intel.breakglass.tech;
classtype:trojan-activity;
sid:9000102; rev:1;
)
alert http any any -> any any (
msg:"BGI - HYFLOCK RaaS Affiliate Registration";
flow:established,to_server;
content:"POST"; http_method;
content:"/api/register"; http_uri;
reference:url,intel.breakglass.tech;
classtype:trojan-activity;
sid:9000103; rev:1;
)
Limitations
- No panel access obtained: The DDoS captcha was not bypassed during this investigation. All findings are from unauthenticated reconnaissance.
- No malware samples: No ransomware samples attributed to HYFLOCK have been identified yet.
- No victim data: Without panel access, no victim information could be gathered.
- No clearnet mirrors identified: The service appears to operate exclusively on Tor.
- Attribution is circumstantial: Chinese developer origin is based on CSS comments; the operator may be a different individual or group.
Raw Evidence
All raw evidence is preserved in /home/ghost/investigations/onion-e5hdifgit6/raw/:
root.html— Root page (302 redirect to /login)root_headers.txt— Full HTTP response headerslogin.html— English login page (30,495 bytes)login_ru.html— Russian login page (30,721 bytes)register.html— Registration page (9,495 bytes)ddos-verify.html— DDoS verification/captcha page (19,060 bytes)style.css— Full CSS stylesheet (190,755 bytes, 8,112 lines)fonts.css— Font face declarationsadmin.html— Admin redirect response (29 bytes — redirects to /login)captcha_sample.png— Sample captcha image
References
- No prior public reporting exists for HYFLOCK
- RansomLook ransomware group tracker: https://www.ransomlook.io/groups
- Ransomware.live tracker: https://www.ransomware.live/
- Ransom-DB tracker: https://www.ransom-db.com/ransomware-groups
GHOST — Breakglass Intelligence "One indicator. Total infrastructure." Investigation completed: 2026-04-03