Skip to content
Ransomware group

Morpheus

Morpheus is a ransomware and extortion operation reported in 2025.

Profile source: Ransomware.live opens in a new tab

Morpheus

Family profile

Morpheus is a ransomware and extortion operation reported in 2025. Its ransomware shares substantial code with HellCat, with reporting describing Morpheus as an updated version or rebrand. This profile excludes unrelated Android spyware using the same name.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Recent claims

All published claims ↗

Reporting

Research mentioning Morpheus

Jun 14
Thecybersecguru

HDFC AMC Data Breach 2026: Morpheus, 680 GB & What It Means | The CyberSec Guru

Later that same day, the company received an email from an entity calling itself Morpheus, claiming it had extracted more than 680 GB of data and threatening to publish everything unless HDFC AMC contacted them within three days. As of June 10, 2026, nearly four weeks after the initial breach, Morpheus posted HDFC AMC as a victim on their onion dark web leak site.

Apr 28
Security Affairs

New Android spyware Morpheus linked to Italian surveillance firm

Osservatorio Nessuno exposed a new spyware called Morpheus, distributed through fake Android apps posing as updates. Once installed, it can steal extensive data from the infected devices.

Apr 24
Techcrunch Com Security

Another spyware maker caught distributing fake Android snooping apps | TechCrunch

Osservatorio Nessuno, an Italian digital rights organization that researches spyware, published a report on a new malware it calls Morpheus. The spyware, which masquerades as a phone updating app, is capable of stealing a broad range of data from an intended target’s device.

Apr 1
Barghest

CVE-2026-0073 Android adbd TLS client-authentication bypass

Osservatorio Nessuno’s April 2026 report on Morpheus describes Android spyware abusing Accessibility workflows to enable Developer options, turn on wireless debugging, and locally pair with adbd. We confirmed by reverse engineering that Morpheus did not use this vulnerability.

Feb 13
Cloudatg Insights

AI Development & Software Engineering | CloudATG

Experts Find Shared Codebase Linking Morpheus and HellCat Ransomware Payloads

Jan 6
Sentinelone

12 Months of Fighting Cybercrime & Defending Enterprises | The SentinelLABS 2025 Review

SentinelLABS researchers uncovered how HellCat and Morpheus ransomware operations were essentially two distinct brands deploying identical ransomware payloads, illustrating the commoditization and rebranding practices within the RaaS ecosystem.

Aug 14
Dragos

OT Ransomware Trends: Q2 2025 Analysis & Insights | Dragos

“...Morpheus… Each accounted for 1 incident…”

Aug 13
Medium S2wblog

Ransomware Landscape in H1 2025: Statistics and Key Issues | by S2W | S2W BLOG | Medium

SentinelOne analyzed the link between Morpheus and HellCat, which emerged in January 2025, and found that the ransomware binaries of the HellCat group and those of the Morpheus group are identical except for the DLS and contact email.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.