Morpheus
Morpheus is a ransomware and extortion operation reported in 2025.
Profile source: Ransomware.live opens in a new tabMorpheus
Family profile
Morpheus is a ransomware and extortion operation reported in 2025. Its ransomware shares substantial code with HellCat, with reporting describing Morpheus as an updated version or rebrand. This profile excludes unrelated Android spyware using the same name.
Ransomware.live
Operational record
Ransomware.live
Recent claims
Reporting
Research mentioning Morpheus
HDFC AMC Data Breach 2026: Morpheus, 680 GB & What It Means | The CyberSec Guru
Later that same day, the company received an email from an entity calling itself Morpheus, claiming it had extracted more than 680 GB of data and threatening to publish everything unless HDFC AMC contacted them within three days. As of June 10, 2026, nearly four weeks after the initial breach, Morpheus posted HDFC AMC as a victim on their onion dark web leak site.
New Android spyware Morpheus linked to Italian surveillance firm
Osservatorio Nessuno exposed a new spyware called Morpheus, distributed through fake Android apps posing as updates. Once installed, it can steal extensive data from the infected devices.
Another spyware maker caught distributing fake Android snooping apps | TechCrunch
Osservatorio Nessuno, an Italian digital rights organization that researches spyware, published a report on a new malware it calls Morpheus. The spyware, which masquerades as a phone updating app, is capable of stealing a broad range of data from an intended target’s device.
CVE-2026-0073 Android adbd TLS client-authentication bypass
Osservatorio Nessuno’s April 2026 report on Morpheus describes Android spyware abusing Accessibility workflows to enable Developer options, turn on wireless debugging, and locally pair with adbd. We confirmed by reverse engineering that Morpheus did not use this vulnerability.
AI Development & Software Engineering | CloudATG
Experts Find Shared Codebase Linking Morpheus and HellCat Ransomware Payloads
12 Months of Fighting Cybercrime & Defending Enterprises | The SentinelLABS 2025 Review
SentinelLABS researchers uncovered how HellCat and Morpheus ransomware operations were essentially two distinct brands deploying identical ransomware payloads, illustrating the commoditization and rebranding practices within the RaaS ecosystem.
OT Ransomware Trends: Q2 2025 Analysis & Insights | Dragos
“...Morpheus… Each accounted for 1 incident…”
Ransomware Landscape in H1 2025: Statistics and Key Issues | by S2W | S2W BLOG | Medium
SentinelOne analyzed the link between Morpheus and HellCat, which emerged in January 2025, and found that the ransomware binaries of the HellCat group and those of the Morpheus group are identical except for the DLS and contact email.