Skip to content
Ransomware group

Cephalus

Cephalus is a newly observed ransomware strain/group first reported in mid-2025 and seen in incidents in August 2025.

Profile source: Mallory opens in a new tab

Cephalus

Family profile

Cephalus is a newly observed ransomware strain/group first reported in mid-2025 and seen in incidents in August 2025. It is described as financially motivated and has been associated with targeted intrusions in which operators breach victims, exfiltrate data, and then encrypt systems. Reported initial access commonly involved compromised RDP accounts without MFA. In observed incidents, attackers also used the MEGA cloud platform, likely for data exfiltration, and the ransom note provided a GoFile link and password as proof of stolen data. Cephalus has also been cited among emerging ransomware groups contributing to increased attacks in sectors including healthcare.

Technically, Cephalus is written in Go. In Huntress-observed incidents, it was launched via DLL sideloading using the legitimate SentinelOne executable SentinelBrowserNativeHost.exe, executed from a user Downloads directory, which loaded SentinelAgentCore.dll and then a data.bin payload containing the ransomware. One deployment was reportedly blocked when Microsoft Defender quarantined the file. The malware disables or weakens Microsoft Defender protections, including adding exclusions, modifying Defender-related registry keys, stopping and disabling services such as SecurityHealthService, Sense, WinDefend, and WdNisSvc, deleting Volume Shadow Copies with vssadmin delete shadows /all /quiet, and stopping services including Veeam and MSSQL to hinder recovery.

Cephalus includes anti-analysis and key-protection features. AhnLab reported that it generates a fake AES key string ("FAKE_AES_KEY_FOR_CONFUSION_ONLY!") repeatedly to mislead dynamic analysis. It encrypts files with a single AES-CTR key derived by repeated SHA-256 hashing of a random 32-byte value, and then encrypts that AES key with an embedded RSA public key. The malware uses memory-protection techniques including VirtualLock and XOR masking to reduce key exposure in memory or paging files. The ransom note is named recover.txt and is created in directories where encryption completes. Reported indicators associated with Cephalus include MD5 hashes 6221b0bf4d365454d40c546cf7133570 and a16a1228d5276eec526c21432a403923.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Ip

1 total
  • 46.17.42.64

Reporting

Research mentioning Cephalus

Dec 9
Dragos

Dragos Industrial Ransomware Analysis: Q3 2025 | Dragos

“Mid-volume Emerging Groups: … Cephalus… each accounted for 5 incidents.”

Nov 7
Risky Biz Rss

Risky Bulletin: Europol arrests payment service executives for role in credit card fraud ring

AhnLab looks at the new Cephalus ransomware, a strain first seen in August. The group leverages RDP accounts for initial access and operates a dark web leak site that hasn't been updated in more than two months, suggesting the group might have disbanded already.

Nov 4
Ahnlab Asec

An Unerring Spear: Cephalus Ransomware Analysis - ASEC

Cephalus is a ransomware strain developed in Go. It disrupts dynamic analysis by generating a fake AES key. Upon execution, it disables Windows Defender’s real-time protection, deletes VSS backups, and stops key services such as Veeam and MSSQL...

Oct 8
ReliaQuest

Ransomware and Cyber Extortion in Q3 2025

By Q3 2025, newly emerged groups like “Beast,” “The Gentlemen,” and “Cephalus” fueled a 31% surge in attacks on organizations in the health care sector, surpassing established names like Qilin and Inc Ransom and showcasing that smaller groups, collectively, can be just as destructive as their prominent counterparts.

Sep 17
Bleeping Computer

From ClickFix to MetaStealer: Dissecting Evolving Threat Actor Techniques

Additionally, two incidents involving the Cephalus ransomware variant were detected. This ransomware distinguishes itself by employing DLL sideloading through a legitimate SentinelOne executable, SentinelBrowserNativeHost.exe, to launch the payload.

Sep 1
The Hacker News

⚡ Weekly Recap: WhatsApp 0-Day, Docker Bug, Salesforce Breach, Fake CAPTCHAs, Spyware App & More

A new ransomware strain going by the name of Cephalus has been spotted in the wild.

Aug 21
Huntress

Cephalus Ransomware: Don’t Lose Your Head | Huntress

"In mid-August, we came across a ransomware variant called Cephalus in two separate incidents."

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.