Ip
1 total46.17.42.64
Cephalus is a newly observed ransomware strain/group first reported in mid-2025 and seen in incidents in August 2025.
Profile source: Mallory opens in a new tabCephalus
Cephalus is a newly observed ransomware strain/group first reported in mid-2025 and seen in incidents in August 2025. It is described as financially motivated and has been associated with targeted intrusions in which operators breach victims, exfiltrate data, and then encrypt systems. Reported initial access commonly involved compromised RDP accounts without MFA. In observed incidents, attackers also used the MEGA cloud platform, likely for data exfiltration, and the ransom note provided a GoFile link and password as proof of stolen data. Cephalus has also been cited among emerging ransomware groups contributing to increased attacks in sectors including healthcare.
Technically, Cephalus is written in Go. In Huntress-observed incidents, it was launched via DLL sideloading using the legitimate SentinelOne executable SentinelBrowserNativeHost.exe, executed from a user Downloads directory, which loaded SentinelAgentCore.dll and then a data.bin payload containing the ransomware. One deployment was reportedly blocked when Microsoft Defender quarantined the file. The malware disables or weakens Microsoft Defender protections, including adding exclusions, modifying Defender-related registry keys, stopping and disabling services such as SecurityHealthService, Sense, WinDefend, and WdNisSvc, deleting Volume Shadow Copies with vssadmin delete shadows /all /quiet, and stopping services including Veeam and MSSQL to hinder recovery.
Cephalus includes anti-analysis and key-protection features. AhnLab reported that it generates a fake AES key string ("FAKE_AES_KEY_FOR_CONFUSION_ONLY!") repeatedly to mislead dynamic analysis. It encrypts files with a single AES-CTR key derived by repeated SHA-256 hashing of a random 32-byte value, and then encrypts that AES key with an embedded RSA public key. The malware uses memory-protection techniques including VirtualLock and XOR masking to reduce key exposure in memory or paging files. The ransom note is named recover.txt and is created in directories where encryption completes. Reported indicators associated with Cephalus include MD5 hashes 6221b0bf4d365454d40c546cf7133570 and a16a1228d5276eec526c21432a403923.
Ransomware.live
Ransomware.live
46.17.42.64Reporting
“Mid-volume Emerging Groups: … Cephalus… each accounted for 5 incidents.”
AhnLab looks at the new Cephalus ransomware, a strain first seen in August. The group leverages RDP accounts for initial access and operates a dark web leak site that hasn't been updated in more than two months, suggesting the group might have disbanded already.
Cephalus is a ransomware strain developed in Go. It disrupts dynamic analysis by generating a fake AES key. Upon execution, it disables Windows Defender’s real-time protection, deletes VSS backups, and stops key services such as Veeam and MSSQL...
By Q3 2025, newly emerged groups like “Beast,” “The Gentlemen,” and “Cephalus” fueled a 31% surge in attacks on organizations in the health care sector, surpassing established names like Qilin and Inc Ransom and showcasing that smaller groups, collectively, can be just as destructive as their prominent counterparts.
Additionally, two incidents involving the Cephalus ransomware variant were detected. This ransomware distinguishes itself by employing DLL sideloading through a legitimate SentinelOne executable, SentinelBrowserNativeHost.exe, to launch the payload.
A new ransomware strain going by the name of Cephalus has been spotted in the wild.
"In mid-August, we came across a ransomware variant called Cephalus in two separate incidents."
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.